IBM Developer Blog

Follow the latest happenings with IBM Developer and stay in the know.

What the IBM Cloud for Financial Services support for OpenShift and containerized workloads means for developers


Maintaining compliance with industry regulations and avoiding costly and embarrassing security breaches are now a standard part of any software modernization or cloud migration effort. In July of 2020, IBM introduced the IBM Cloud Framework for Financial Services and the IBM Cloud for VMware Regulated Workloads designed to reduce the time to migrate and deploy on the cloud. Today, IBM announced additional options for banks to run regulated workloads in the cloud with support for managed Red Hat OpenShift on IBM Cloud and virtual services on an advanced virtual private cloud (VPC) infrastructure. In this post, I cover a few of the most important developer-focused areas that are part of the IBM Cloud for Financial Services.

One cloud

IBM Cloud for Financial Services is not a separate entity from IBM Cloud. Rather, it comprises a subset of validated offerings that are engineered to meet the technical, operational, and security controls within the Framework for Financial Services. The individual offerings within the IBM Cloud for Financial Services Validated list currently include:

  • IBM Cloud Virtual Private Cloud (VPC)
  • IBM Cloud App ID
  • Red Hat OpenShift on IBM Cloud
  • IBM Cloud Object Storage
  • IBM Cloud Hyper Protect Crypto Services
  • IBM Cloud Identity and Access Management
  • IBM Cloud Container Registry

For the current list, visit the IBM Cloud catalog and select the Financial Services Validated checkbox, as illustrated in the following screen capture:

Screen capture of the IBM Cloud for Financial Services Validated services

Why a cloud for financial services?

The traditional impetus to move applications to the cloud is to increase developer productivity by opening up a large catalog of managed services (compute, storage, and such) to speed development. IBM Cloud for Financial Services is targeted toward banks and other organizations hesitant to move to the cloud due to concerns around security, auditability, and regulatory compliance enforcement. In addition to the catalog of IBM services, the IBM Cloud for Financial Services simplifies the process of adopting ISV services that run on IBM Cloud through a uniform onboarding process. This allows you to bring ISV capabilities to your workloads with the knowledge that they are vetted by the controls framework.

Code Risk Analyzer and toolchains

As part of the shift to cloud-native development, modern software practices encourage the use of continuous integration and continuous delivery (CI/CD) to create more agility in the development process. The first half (CI) involves the process of taking code into binary artifacts, either containers or others, and includes compiling, and unit and integration testing. As part of this chain of automated steps, you can inject the Code Risk Analyzer component of IBM Cloud Continuous Delivery into your workflow for code and security scanning. This model, where security and vulnerability is brought earlier into the development cycle, is known as SecDevOps. (Sometimes it’s written as DevSecOps.) It’s one of the practices we believe is necessary for ensuring reproducible delivery of your applications in IBM Cloud for Financial Services.

SecDevOps and the Software Development Life Cycle (SDLC)

This shift-left model encourages security checks to be part of the development story. You gain faster iteration and the ability to quickly identify potential security vulnerabilities and compliance gaps, so you can address them earlier in your development cycle, improving productivity. This SecDevOps approach is enabled by including automation in the CI/CD pipeline so you can detect and mitigate of potential security issues earlier.

My team and I created a new code pattern that explains how to use toolchains to create a pipeline that runs a Code Risk Analyzer scan of regulatory compliance control checks, which integrates threat intelligence from the Snyk and Clair vulnerability databases. In the code pattern, you create a toolchain that creates a pull request (PR) pipeline and a continuous delivery (CD) pipeline to conduct the risk assessment and deploy the application to OpenShift.

For more information about Code Risk Analyzer, see the following resources:

IBM Cloud Framework for Financial Services

The Framework for Financial Services is engineered to address the policy and technological elements of maintaining a secured, auditable cloud computing platform. This includes policy goals and controls for both IBM services and requirements that ISVs must meet to become part of the IBM Cloud for Financial Services. The IBM Cloud Framework for Financial Services Base Controls (US NIST 800-53 with IBM financial services guidance) provide a common control approach that can be mapped to support regulatory guidelines worldwide.

Although the controls that are part of the Framework might vary from service to service, here is a list of key areas within some representative control categories:

  • Access control
  • Identification and authentication
  • Audit and accountability
  • Personnel security
  • Physical and environmental protection
  • Security assessment and authorization
  • System and communication protection
  • Contingency planning
  • Media protection
  • System and information integrity
  • System and service acquisition
  • Maintenance
  • Enterprise data management
  • Configuration management
  • Information security program management
  • Security planning
  • Privacy
  • Risk assessment

Other key components

Red Hat OpenShift on IBM Cloud on VPC

The Red Hat OpenShift on IBM Cloud offering provides secured, enterprise-ready Kubernetes that integrates with the IBM Cloud Container Registry services. The VPC (Gen2) infrastructure provides security, performance, network isolation, and availability in a managed Kubernetes offering. OpenShift provides a hardened Kubernetes environment which, along with compliance controls, help companies in regulated industries demonstrate adherence to compliance controls.

Screen capture of a sample application topology for Red Hat OpenShift

Cloud data encryption

For use cases where it’s critical that you control end-to-end data encryption, IBM Cloud Hyper Protect Crypto Services provides Keep Your Own Key (KYOK) capabilities. The single-tenant key management service allows you to create, import, rotate, and manage keys with standardized APIs. Once the encryption keys are deleted, your data is no longer retrievable.

When you mix multicloud use cases, two Hashicorp Vault plugins developed by IBM allow you to generate API keys and authenticate through IBM Cloud Identity and Access Management using your on-premises Vault installation.

A beta version of IBM Cloud Secrets Manager also provides more multicloud toolchain support.

IBM Cloud Security and Compliance Center

The IBM Cloud Security and Compliance Center (SCC) is a unified dashboard for monitoring the security and compliance of your cloud services, including vulnerability scans of images in the IBM Container Registry. Here is a screenshot from the SCC dashboard that shows the findings for supported resources in your namespace. Note that SCC shows findings from multiple sources in one place, making it easier to keep on top of issues in your entire cloud account.

Screen capture of SCC findings report within IBM Cloud

Securing your IBM Cloud CLI connection

The ibmcloud command-line interface (CLI) now allows you to target private service endpoints exclusively. This enhances security by using routes that are not accessible over the internet. The IBM Cloud private endpoints feature is designed to protect your data from threats from the public network and logically extend your private network.

Briefly, you can enable this functionality in two steps:

  1. Target the private IBM Cloud endpoint when logging in:

     ibmcloud login -a private.cloud.ibm.com
    

    This ensures that future invocations of ibmcloud will only use this endpoint, allowing VPN-only access to your service endpoint.

  2. Verify the CLI plug-in that you want to use supports private endpoints.

    The ibmcloud plugin list command shows which plug-ins support private endpoints. For example, as of the end of March, the following CLI plug-ins support private endpoints (with true in the last column.)

     $ ibmcloud plugin list | sort -k3r
     Plugin Name                                 Version   Status   Private endpoints supported
     catalogs-management                         1.0.6              true
     dl-cli                                      0.4.0              true
     tg-cli/tg                                   0.3.2              true
     vpc-infrastructure/infrastructure-service   0.8.2              true
     Listing installed plug-ins...
     analytics-engine                            1.0.166            false
     container-registry                          0.1.514            false
     container-service/kubernetes-service        1.0.233            false
     cloud-databases                             0.10.2             false
     cloud-functions/wsk/functions/fn            1.0.53             false
     cloud-internet-services                     1.13.1             false
     observe-service/ob                          1.0.61             false
     sdk-gen                                     0.1.12             false
     activity-tracker                            3.3.4              false
     app-configuration                           0.0.2              false
     auto-scaling                                0.2.8              false
     cloud-dns-services                          0.3.4              false
     cloud-object-storage                        1.2.2              false
     code-engine/ce                              0.6.3              false
     dbaas-cli                                   1.7.1              false
     doi                                         0.3.1              false
     event-streams                               2.3.0              false
     hpvs                                        1.4.2              false
     key-protect                                 0.6.0              false
     logging                                     0.0.4              false
     machine-learning                            3.0.2              false
     monitoring                                  0.0.4              false
     power-iaas                                  0.3.1              false
     push-notifications                          1.0.3              false
     schematics                                  1.5.1              false
     secrets-manager                             0.0.8              false
     tke                                         1.1.4              false
     watson                                      0.0.9              false
     whcs                                        0.0.5              false
    

Summary

IBM Cloud for Financial Services comprises a catalog of cloud services, an ecosystem of vetted ISV products, and tools to help enhance security and compliance with industry controls. Banks and their technology partners can now build applications with Red Hat OpenShift, migrate virtual machine workloads, and establish compliance profiles across their workloads to help an organization achieve their necessary levels of regulatory compliance. Organizations that were hesitant to shift on-premises applications into the cloud can begin to evaluate the move, taking advantage of managed services and infrastructure to speed application development and jump-start modernization efforts.