When creating a secure cloud solution, you must have a strong security policy and governances to mitigate risk and meet accepted standards for security and compliance. In this document, see how to map the security policies of your organization and extend these policies into your cloud environment. Also learn how to manage security governance, assess risks, and achieve compliance.

Security policy and governance

An organization’s corporate security policy (CSP) plays a pivotal role in crafting how the company’s IT systems help achieve its security goals. As organizations increasingly adopt cloud environments, they establish cloud-specific security policies that are often an extension of their corporate security policy.

To ensure a successful cloud adoption, both cloud service consumers and cloud service providers need to establish and follow their respective cloud security policies. These security policies are often aligned to the cloud consumption and delivery model Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

IT security policies determin cloud security policies which determine IaaS, PaaS, and SaaS security policies

Because cloud security policies are often derived from a company’s IT security policy, let’s look at how an IT security policy fits into an organization’s overall structure.

Security framework and IT security policy

A typical organization’s security framework looks something like the following diagram:

Typical organization's security framework

The business strategy, competitive differentiation, and industry regulation guidelines are prominent factors that shape a corporate IT strategy. The security strategy drives the security governance.

Security governance ensures that the company:

  • Enforces the IT security policy through security controls.
  • Educates employees and end users about security guidelines.
  • Meets industry and compliance regulations.
  • Achieves operational efficiency across security controls.
  • Continually assesses risks and addresses them through security controls.

The security controls are split across various layers of security, including identity and access management, data, applications, network or server infrastructure, physical security, and security intelligence.

When moving your company to a cloud environment, you need to create a cloud security policy that defines the required security controls for extending the IT security policy onto cloud-based systems.

Cloud consumer provider security policy

Often, the cloud service consumer and the cloud service provider belong to different organizations. Therefore, each entity adheres to a different IT or cloud security policy that aligns with their corporate security strategy. The cloud provider not only adheres to corporate security policy while building their service, but they also expose security functionality that consumers can use to cater to their enterprise strategy requirements.

In the following sections, we look at security governance across cloud service providers – IBM SoftLayer, our Infrastructure as a Service offering, and IBM Bluemix, our Platform as a Service offering–that customers need to extend to their cloud consumers.

Cloud provider security policy and governance: IBM SoftLayer and Bluemix

IBM builds security into its cloud solutions. Both IBM SoftLayer and IBM Bluemix meet strict governmental and industry security guidelines and policies.

IBM SoftLayer (IaaS)

SoftLayer’s built-in security management features meet U.S. government standards that are based on the NIST 800-53 framework, a catalog of security and privacy controls defined for U.S. federal government information systems.

Every SoftLayer data center maintains American Institute of Certified Public Accounts (AICPA) Service Organization Controls (SOC) 2 Type II reporting compliance. SOC 2 reports are auditing reports that assess security, availability, and process integrity. In addition, SoftLayer security is maintained through automation, which is less prone to human error.

SoftLayer’s data centers are also monitored 24×7 for both network and on-site security. Server room access is limited to authorized employees only, and every location is protected against physical intrusion. Learn more about physical security at SoftLayer data centers.

Customers can create a multilayer security architecture to suit their needs. SoftLayer offers several on-demand server and network security devices, such as firewalls and gateway appliances. You can select the firewall devices and gateways within the SoftLayer portal. View a catalog of available firewall devices and gateways or learn more about infrastructure security.

SoftLayer compliance

SoftLayer adheres to numerous governmental and industry-specific standards, including:

  • AICPA SOC/SAS 70: Industry standards for service providers to safeguard customer data and information
  • ISO27001: Systematic risk-based approach to managing company and customer information
  • ISO 27017:2015: Security controls for provisioning and use of cloud services
  • ISO27018: Control objectives, controls, and guidelines for protecting personally identifiable information (PII)
  • Cloud Security Alliance: Provides best practices for providing security assurance within cloud computing
  • Payment Card Industry (PCI) Data Security Standards: Best practices to protect cardholder data
  • Health Insurance Portability and Accountability Act(HIPAA): Security controls for businesses that store or process protected health information online
  • EU Model Clauses: Protects data that
  • Criminal Justice Information (CJI): Standards to protect information obtained by law enforcement agencies

Learn more about these specific standards.

IBM Bluemix (PaaS)

Bluemix Local
Bluemix Dedicated
Bluemix Public icon

The Bluemix environment on SoftLayer is compliant with the most restrictive IBM information technology (IT) security standards, which meet or exceed the industry standards.

These standards include:

  • Network, data encryption, and access controls
  • Application ACLs, permissions, and penetration testing
  • Identification, authentication, and authorization
  • Information and data protection
  • Service integrity and availability
  • Vulnerability and fix management
  • Denial of service and systematic attacks detection
  • Security incident response

Bluemix follows IBM’s best practices for systems, networking, and secure engineering. These policies include practices such as:

  • Source code scanning
  • Dynamic scanning
  • Threat modeling
  • Penetration testing

Bluemix follows the IBM Product Security Incident Response Team (PSIRT) process for security incident management. See the IBM Security Vulnerability Management (PSIRT) site for details.

Bluemix Public and Dedicated

Bluemix Dedicated

Bluemix Public icon

Bluemix Public and Dedicated platform security promotes security governance by including built-in functional, infrastructure, and operational security measures. You can opt to add additional security services, such as
authentication and single sign on, application security scans, user registry, database security, and cloud integration.

Bluemix Public and Bluemix Dedicated Platform Security

Bluemix Local security

Bluemix Local

With Bluemix Local, Bluemix is hosted behind the company firewall in the customer’s data center. Customers are responsible for physical security, environment segregation, firewalls, and intrusion prevention for their
Bluemix Local environment. IBM works with customers to enact vulnerability scanning.

View of IBM-enabled security

For further information, refer to Bluemix security documentation.

Bluemix operational security and compliance

Bluemix provides a robust operational security environment with the following controls:

  • Vulnerability scan: Detects issues with network and host configurations
  • Automated fix management: Applies operating systems at appropriate frequencies
  • Audit log consolidation and analysis: Monitors privileged access on Linux systems and monitors login attempts for application developers
  • User access management with granular access privileges: Ensures users can only access environments that are needed to perform their job duties

Within Bluemix Dedicated and Local environments, assigned administrators can manage roles and permissions for Bluemix users in their organization by using the Admin Console. See Managing Bluemix Local and Dedicated for details.

Bluemix compliance

Bluemix adheres to numerous governmental and industry-specific standards, including:

  • AICPA SOC / SAS 70: Industry standards for service providers to safeguard customer data and information
  • ISO27001: Systematic risk-based approach to managing company and customer information
  • Center for Financial Industry Information Systems (FISC) : Financial security guidelines enforced by the Japan Financial Services Agency, Bank of Japan, and FISC.
  • EU Model Clauses: Contains the rights and obligations of the data exporter and the data importer, and the rights of the data subjects.

Learn more about the Bluemix components and services that are compliant for each of the standards.

Cloud consumer security policy and governance

Consumers of cloud services can be assured that IBM builds security into its Bluemix and SoftLayer offerings. The following section details the security policies and governances cloud consumers can extend into their own cloud environments.

IBM SoftLayer

Users of IBM SoftLayer IaaS services can extend their company’s corporate governance and security policies onto their systems in SoftLayer. SoftLayer compliance certifications make it easier for companies to meet industry-compliance standards.

SoftLayer offers the following security controls to enable security governance for the cloud consumers.

Identity and access management

  • Enables phone-factor authentication and Symantec ID protection authentication to the SoftLayer portal for consumer administrators.
  • Allows API-based authentication that is secured with API keys.

Application, data, network, and server infrastructure

  • SSL certificates: SoftLayer enables ordering of commercial SSL certificates from certificate providers, Symantec and GeoTrust.
  • Firewalls and VPN: SoftLayer provides various shared and dedicated firewall options using Vyatta and Fortigate products.
  • Citrix Netscaler Virtual appliance: The NetScaler ICSA-certified hybrid security model pairs Layer 7 attack signature detection with an advanced learning engine to ramp up quickly and help prevent denial-of-service attacks. NetScaler optimizes the secure delivery of all web and enterprise business applications, cloud-based services, virtual desktops, and mobile services – regardless of location and access technology.
  • Trusted Boot security: SoftLayer provides Trusted Boot capability through IntelTxT on select Intel Xeon servers that are preloaded with a TPM processor chip. This validates that the security state of the firmware or hypervisor during an OS boot is indeed trusted.
  • Hardware security module for high assurance keys: Customers can own their data encryption in the cloud and protect its keys on IBM Cloud HSM. Powered by a SafeNet Hardware Security Module from Gemalto, IBM Cloud HSM offers enterprises high-assurance protection for encryption keys, ensuring their data stays protected wherever it resides. IBM Cloud HSM appliance maintains keys securely to FIPS140-2 (tamper resistance). Being able to own your encryption keys and prove that you have complete control of all of your data is crucial to meet the requirements of many compliance standards, including PCI-DSS.

Security intelligence and vulnerability management

  • Nessus Vulnerability Scanner: Helps discover TCP/IP vulnerability of deployed operating systems and middleware on SoftLayer’s cloud environment.
  • McAfee Host Intrusion Protection: Provides proactive security at the server level to protect against known and new threats.
  • IBM managed Security Services on SoftLayer: Provides security services for the cloud environment on SoftLayer such as vulnerability management, managed IDS/IPS and firewalls, DDoS protection, email and web content security, and security and event log management services.

IBM Bluemix

Bluemix Local
Bluemix Dedicated
Bluemix Public icon

IBM Bluemix platform provides the following security controls to help enable security governance for the cloud consumers.

Identity and access management

  • Authentication to Bluemix through the IBM web identity. Authentication through LDAP is supported by default for Bluemix Dedicated and Local. On request, we can set up authentication through IBM web identity for Bluemix Dedicated and Local.
  • Authorization: Bluemix ensures that each application developer has access only to the applications and service instances that they created. Authorization to Bluemix services is based on OAuth. Access to all Bluemix Platform internal endpoints is restricted to external users.
  • Audit: Bluemix captures audit logs for all successful and unsuccessful authentication attempts of application developers and also for privileged access to Linux systems that host the containers where Bluemix applications run. The audit logs are used for industry compliance reports.
  • Single Sign On (SSO) service: IBM Single Sign On for Bluemix is a policy-based authentication service that provides an easy-to-embed single sign-on capability for Node.js or Liberty for Java™ applications. To enable an application developer to embed single sign-on capability into an application, the administrator creates service instances and adds identity sources. SSO supports several identity sources – SAML Enterprise, Cloud Directory, and social identity sources (Google, Facebook and LinkedIn)

Application, data, network, and server infrastructure

  • Data protection: All Bluemix traffic goes through the IBM WebSphere DataPower SOA Appliances, which provide reverse proxy, SSL termination, and load balancing functions.
  • The AppScan Dynamic Analyzer service secures web apps that are deployed on Bluemix.
  • IBM Application Security on Cloud for Bluemix identifies security issues in your mobile, web, and desktop apps, to help you keep them secure.
  • Environment segregation: For Bluemix Public, development and production environments are segregated from each other to improve application stability and security.
  • Firewalls: Firewalls restrict access to the Bluemix network. For Bluemix Local, your company firewall segregates the rest of your network from your Bluemix instance.
  • Intrusion protection: Bluemix Public and Dedicated enable intrusion protection to discover threats so that they can be addressed. Intrusion protection policies are enabled on firewalls.
  • DashDB security: The dashDB service uses an embedded LDAP server for user authentication. SSL certificates protect the connection between applications and the database.
  • Secure Gateway / VPN tunnel: The Secure Gateway service enables you to securely connect Bluemix apps to remote locations, either on premises or in the cloud.

Security intelligence and vulnerability management

  • IBM performs threat modeling and penetration testing to detect and address any potential vulnerability for all types of Bluemix deployments.
  • IBM QRadar or third-party security information and event management (SIEM) tools can be used to analyze security alerts in application logs.


Security policies and governance are necessary for both cloud service providers and cloud service consumers. IBM provides a security framework and controls for SoftLayer (IaaS) and Bluemix (PaaS) as part of the platform and extendable services. Cloud consumers can use these services to help with their security strategy and governance. You can build and extend additional capabilities from your enterprise to your cloud environment to enforce your company’s security policy and governance.


Join The Discussion

Your email address will not be published. Required fields are marked *