| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-09-13 |
security controls, platform security, compliance, penetration testing, quantum computing, data at rest, data in transit, cryptography |
overview |
{{site.data.keyword.attribute-definition-list}}
{: #security}
Designed with secure engineering practices, the {{site.data.keyword.cloud}} platform provides layered security controls across network and infrastructure. {{site.data.keyword.cloud_notm}} focuses on protection across the entirety of the compute lifecycle, which includes everything from the build process and key management to the security of data services. {{site.data.keyword.cloud_notm}} also provides a group of security services that can be used by application developers to secure their mobile and web apps. These elements combine to make IBM Cloud a platform with clear choices for secure application development. {: shortdesc}
In addition to our own diligence in creating and operating a secure cloud, {{site.data.keyword.IBM}} also engages many different firms to assess the security and compliance of our cloud platform. For more information, see {{site.data.keyword.cloud_notm}} compliance programs for a detailed list of certifications and attestations.
{{site.data.keyword.cloud_notm}} ensures security readiness by adhering to security policies that are driven by best practices in {{site.data.keyword.IBM_notm}} for systems, networking, and secure engineering. These policies include practices such as source code scanning, dynamic scanning, threat modeling, and penetration testing. {{site.data.keyword.cloud_notm}} follows the {{site.data.keyword.IBM_notm}} Product Security Incident Response Team (PSIRT) process for security incident management. See the {{site.data.keyword.IBM_notm}} Security Vulnerability Management (PSIRT){: external} site for details.
In addition to the regular penetration testing conducted by {{site.data.keyword.IBM_notm}} and our partners, you can conduct penetration testing of your VPC or Classic Infrastructure resources on {{site.data.keyword.cloud_notm}}. Prior authorization to do so is not required by {{site.data.keyword.cloud_notm}}. {{site.data.keyword.cloud_notm}} customers under an active NDA can request a copy of a penetration testing executive summary by opening a support case.
For more details about security for your applications and environments in {{site.data.keyword.Bluemix_notm}}, see Security for {{site.data.keyword.cloud_notm}}{: external}.
{: #quantum}
Quantum computing promises to solve complex problems that even the most powerful computers can't solve today. At the same time, there is risk that data protected by public key cryptosystems could be recorded today and decrypted years later by using a Cryptographically Relevant Quantum Computer (CRQC). The {{site.data.keyword.cloud_notm}} platform provides a secure, reliable, and cost-effective cloud computing environment that's tailored to your specific business needs. With security at the core, {{site.data.keyword.cloud_notm}} offers capabilities that you can use to integrate your apps and tools with the required level of data protection.
With a focus on the prioritization of workload protection, {{site.data.keyword.cloud_notm}} includes the following core features that you can leverage at rest and in transit for inbound and outbound traffic.
{: #data-at-rest}
Key management, using {{site.data.keyword.keymanagementserviceshort}} and {{site.data.keyword.hscrypto}}, supports large key sizes that are considered quantum safe for data encryption (Data Encryption Key) and envelope encryption (Key Encryption Key). For more details, see Protecting data with envelope encryption and Bringing your encryption keys to the cloud.
{: #data-in-transit}
{{site.data.keyword.keymanagementserviceshort}} supports quantum safe enabled TLS connections through a hybrid method that combines Quantum Safe Cryptography and current ECC algorithms. {{site.data.keyword.keymanagementserviceshort}} uses the Kyber algorithm{: external} with NIST evaluation round three parameters. See Introduction to Quantum-safe Cryptography in TLS for more details.
Secure your outbound data with post-quantum support on {{site.data.keyword.cis_full_notm}}. See Bringing post-quantum cryptography to IBM's edge{: external} for more details.
For cloud native apps, TLS connections are quantum safe enabled with a custom ingress controller for {{site.data.keyword.cloud_notm}} {{site.data.keyword.containershort_notm}} and a custom router for {{site.data.keyword.openshiftlong_notm}}. See Protecting apps on {{site.data.keyword.cloud_notm}} with Quantum Safe Cryptography{: external} for more details.
{: #data-auth}
A high-security version of round 2 Dilithium digital signatures in {{site.data.keyword.hscrypto}} is primarily used for data integrity, authenticity, and non-repudiation. See Post-quantum cryptography support for more details.