Build and run regulated workloads in the cloud
What the IBM Cloud for Financial Services support for OpenShift and containerized workloads means for developers
Maintaining compliance with industry regulations and avoiding costly and embarrassing security breaches are now a standard part of any software modernization or cloud migration effort. In July of 2020, IBM introduced the IBM Cloud Framework for Financial Services and the IBM Cloud for VMware Regulated Workloads designed to reduce the time to migrate and deploy on the cloud. Today, IBM announced additional options for banks to run regulated workloads in the cloud with support for managed Red Hat OpenShift on IBM Cloud and virtual services on an advanced virtual private cloud (VPC) infrastructure. In this post, I cover a few of the most important developer-focused areas that are part of the IBM Cloud for Financial Services.
IBM Cloud for Financial Services is not a separate entity from IBM Cloud. Rather, it comprises a subset of validated offerings that are engineered to meet the technical, operational, and security controls within the Framework for Financial Services. The individual offerings within the IBM Cloud for Financial Services Validated list currently include:
- IBM Cloud Virtual Private Cloud (VPC)
- IBM Cloud App ID
- Red Hat OpenShift on IBM Cloud
- IBM Cloud Object Storage
- IBM Cloud Hyper Protect Crypto Services
- IBM Cloud Identity and Access Management
- IBM Cloud Container Registry
For the current list, visit the IBM Cloud catalog and select the Financial Services Validated checkbox, as illustrated in the following screen capture:
Why a cloud for financial services?
The traditional impetus to move applications to the cloud is to increase developer productivity by opening up a large catalog of managed services (compute, storage, and such) to speed development. IBM Cloud for Financial Services is targeted toward banks and other organizations hesitant to move to the cloud due to concerns around security, auditability, and regulatory compliance enforcement. In addition to the catalog of IBM services, the IBM Cloud for Financial Services simplifies the process of adopting ISV services that run on IBM Cloud through a uniform onboarding process. This allows you to bring ISV capabilities to your workloads with the knowledge that they are vetted by the controls framework.
Code Risk Analyzer and toolchains
As part of the shift to cloud-native development, modern software practices encourage the use of continuous integration and continuous delivery (CI/CD) to create more agility in the development process. The first half (CI) involves the process of taking code into binary artifacts, either containers or others, and includes compiling, and unit and integration testing. As part of this chain of automated steps, you can inject the Code Risk Analyzer component of IBM Cloud Continuous Delivery into your workflow for code and security scanning. This model, where security and vulnerability is brought earlier into the development cycle, is known as SecDevOps. (Sometimes it’s written as DevSecOps.) It’s one of the practices we believe is necessary for ensuring reproducible delivery of your applications in IBM Cloud for Financial Services.
SecDevOps and the Software Development Life Cycle (SDLC)
This shift-left model encourages security checks to be part of the development story. You gain faster iteration and the ability to quickly identify potential security vulnerabilities and compliance gaps, so you can address them earlier in your development cycle, improving productivity. This SecDevOps approach is enabled by including automation in the CI/CD pipeline so you can detect and mitigate of potential security issues earlier.
My team and I created a new code pattern that explains how to use toolchains to create a pipeline that runs a Code Risk Analyzer scan of regulatory compliance control checks, which integrates threat intelligence from the Snyk and Clair vulnerability databases. In the code pattern, you create a toolchain that creates a pull request (PR) pipeline and a continuous delivery (CD) pipeline to conduct the risk assessment and deploy the application to OpenShift.
For more information about Code Risk Analyzer, see the following resources:
- IBM Cloud Architecture Center: Use the “Develop a Kubernetes app” toolchain with Code Risk Analyzer
- IBM Cloud Docs: Configuring Code Risk Analyzer
IBM Cloud Framework for Financial Services
The Framework for Financial Services is engineered to address the policy and technological elements of maintaining a secured, auditable cloud computing platform. This includes policy goals and controls for both IBM services and requirements that ISVs must meet to become part of the IBM Cloud for Financial Services. The IBM Cloud Framework for Financial Services Base Controls (US NIST 800-53 with IBM financial services guidance) provide a common control approach that can be mapped to support regulatory guidelines worldwide.
Although the controls that are part of the Framework might vary from service to service, here is a list of key areas within some representative control categories:
- Access control
- Identification and authentication
- Audit and accountability
- Personnel security
- Physical and environmental protection
- Security assessment and authorization
- System and communication protection
- Contingency planning
- Media protection
- System and information integrity
- System and service acquisition
- Enterprise data management
- Configuration management
- Information security program management
- Security planning
- Risk assessment
Other key components
Red Hat OpenShift on IBM Cloud on VPC
The Red Hat OpenShift on IBM Cloud offering provides secured, enterprise-ready Kubernetes that integrates with the IBM Cloud Container Registry services. The VPC (Gen2) infrastructure provides security, performance, network isolation, and availability in a managed Kubernetes offering. OpenShift provides a hardened Kubernetes environment which, along with compliance controls, help companies in regulated industries demonstrate adherence to compliance controls.
Cloud data encryption
For use cases where it’s critical that you control end-to-end data encryption, IBM Cloud Hyper Protect Crypto Services provides Keep Your Own Key (KYOK) capabilities. The single-tenant key management service allows you to create, import, rotate, and manage keys with standardized APIs. Once the encryption keys are deleted, your data is no longer retrievable.
When you mix multicloud use cases, two Hashicorp Vault plugins developed by IBM allow you to generate API keys and authenticate through IBM Cloud Identity and Access Management using your on-premises Vault installation.
A beta version of IBM Cloud Secrets Manager also provides more multicloud toolchain support.
IBM Cloud Security and Compliance Center
The IBM Cloud Security and Compliance Center (SCC) is a unified dashboard for monitoring the security and compliance of your cloud services, including vulnerability scans of images in the IBM Container Registry. Here is a screenshot from the SCC dashboard that shows the findings for supported resources in your namespace. Note that SCC shows findings from multiple sources in one place, making it easier to keep on top of issues in your entire cloud account.
Securing your IBM Cloud CLI connection
ibmcloud command-line interface (CLI) now allows you to target private service endpoints exclusively. This enhances security by using routes that are not accessible over the internet. The IBM Cloud private endpoints feature is designed to protect your data from threats from the public network and logically extend your private network.
Briefly, you can enable this functionality in two steps:
Target the private IBM Cloud endpoint when logging in:
ibmcloud login -a private.cloud.ibm.com
This ensures that future invocations of
ibmcloudwill only use this endpoint, allowing VPN-only access to your service endpoint.
Verify the CLI plug-in that you want to use supports private endpoints.
ibmcloud plugin listcommand shows which plug-ins support private endpoints. For example, as of the end of March, the following CLI plug-ins support private endpoints (with
truein the last column.)
$ ibmcloud plugin list | sort -k3r Plugin Name Version Status Private endpoints supported catalogs-management 1.0.6 true dl-cli 0.4.0 true tg-cli/tg 0.3.2 true vpc-infrastructure/infrastructure-service 0.8.2 true Listing installed plug-ins... analytics-engine 1.0.166 false container-registry 0.1.514 false container-service/kubernetes-service 1.0.233 false cloud-databases 0.10.2 false cloud-functions/wsk/functions/fn 1.0.53 false cloud-internet-services 1.13.1 false observe-service/ob 1.0.61 false sdk-gen 0.1.12 false activity-tracker 3.3.4 false app-configuration 0.0.2 false auto-scaling 0.2.8 false cloud-dns-services 0.3.4 false cloud-object-storage 1.2.2 false code-engine/ce 0.6.3 false dbaas-cli 1.7.1 false doi 0.3.1 false event-streams 2.3.0 false hpvs 1.4.2 false key-protect 0.6.0 false logging 0.0.4 false machine-learning 3.0.2 false monitoring 0.0.4 false power-iaas 0.3.1 false push-notifications 1.0.3 false schematics 1.5.1 false secrets-manager 0.0.8 false tke 1.1.4 false watson 0.0.9 false whcs 0.0.5 false
IBM Cloud for Financial Services comprises a catalog of cloud services, an ecosystem of vetted ISV products, and tools to help enhance security and compliance with industry controls. Banks and their technology partners can now build applications with Red Hat OpenShift, migrate virtual machine workloads, and establish compliance profiles across their workloads to help an organization achieve their necessary levels of regulatory compliance. Organizations that were hesitant to shift on-premises applications into the cloud can begin to evaluate the move, taking advantage of managed services and infrastructure to speed application development and jump-start modernization efforts.