Cybersecurity Risk Assessment Matters

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems start. That way, banks can launch products and services that keep customers engaged and draw new ones.

Banks looking to grow and expand should proactively consider how fraud concerns impact achieving their goals, and consider a cybersecurity risk assessment. La Banque Postale (LBP) saw firsthand the need for risk assessment as it began working to attract more young customers and was named one of the top three banks in France.

However, banks cannot protect their accounts and infrastructure without knowing their risk level as well as specific vulnerabilities. Security begins with a complete and comprehensive cybersecurity risk assessment. With that firmly grasped, then organizations can take the next step to prevent or stop attacks and fraud. Risk and fraud are constantly evolving, too. Financial institutions now often team up with trusted partners who specialize in financial cybersecurity. That way, they can focus on their main goal – providing great service to their customers.

French Bank Faces Account Takeover Fraud

As they set out to achieve their goals, LBP realized they needed to move to full Instant Payment (IP) in less than an hour across all payment types. For a successful and secure IP rollout, the bank knew that it must have a strong fraud prevention strategy in place. The ultimate goal: fraud-free online banking.

Because its past fraud incidents stemmed from unauthorized account access, the team wanted to prevent attacks from happening. However, multiple log-in attempts may happen at the same time, making it challenging to stop attacks in real-time. The team realized that the key was using a scoring system for each login session. That could determine which login attempts were high risk. They could then devote the resources to preventing high-risk attempts, which increased the likelihood of success.

When they started the project, LBP set realistic goals for the project to help determine success. Of course, the bank wanted to reduce the costs of online fraud. At the same time, the bank also wanted to avoid the costs of renovating payment factories. They planned to do it by investing again in innovative IP deployment and fraud protection. LBP wanted to improve customers’ time with the bank while at the same time reducing costs. They knew that addressing the issue was not a short-term project, but a long-term focus.

Selecting a Risk Confidence Solution to Bolster IAM

A wide range of risk confidence solutions is currently on the market at a variety of price points and features. However, banks must carefully select the right tool for their specific needs. This ensures that they are correctly assessing risk and that the tool integrates with other IT systems. When LBP began looking for a tool, their top need was a complete, in-depth fraud protection and authentication solution that could address the requirements. After a careful search, they selected IBM.

Specific features to look for include:

● Cloud-based: The tool must detect attempts across multiple channels. So, the solution must be cloud-based to provide the coverage needed for the wide range of ways customers and threat actors access bank accounts. Additionally, cloud-based solutions allow employees to access the tools from wherever they are working that day, including their mobile devices.

● Uses AI: Attackers are increasingly using AI-based tools to take over accounts and commit fraud. Without using predictive technology, banks find it increasingly hard to spot vulnerabilities and assess risk. Otherwise, your bank reacts to attacks instead of proactively predicting risk and potential vulnerabilities. By using AI-based technology, LBP can now spot fraud happening in real-time and limit the damage by intervening.

● Anomaly detection: Threat actors are often very sophisticated in their approach. However, their patterns typically vary ever so slightly from the account owner. With anomaly detection, the tool uses AI to uncover deviations based on device hygiene and network characteristics. Even subtle differences such as typing speed can be detected with behavioral biometrics.

● Fits into zero trust framework: Hybrid and remote work are changing the surface area banks need to protect. The zero trust approach provides the best protection for the way that bank employees currently work. Zero trust, which is a collection of technologies used together, starts with the mindset that each user must prove that they are authorized. Identity and access management (IAM) serves as a cornerstone of zero trust by establishing that the user is authorized.

● Fraud patterns: Attackers always change how they do business. When you use a tool that continually updates its algorithm with the latest fraud patterns used in other attacks, such as spoofing attributes, malware infections and non-human behavior, you can more accurately spot potential risks.

● Consortium data: By using a trusted partner that is always creating new research and data, your bank benefits from the targeted protections deployed by the IBM Security research consortium.

Importance of Fraud Protection

After assessing risk with a tool like this, the next step is to effectively prevent fraud by denying access. As banks move through their digital transformation, they see more fraud and account takeovers.

LBP selecting IBM Security Verify Trust to both assess risk and prevent fraud allowed the bank to then confidently launch the first IP program to their customers. LBP improved its customer image by setting up full instant payment without additional fraud. Users now had the convenience of free and faster payments without security concerns.

By becoming the first bank to fully deploy free instant payments, other banks will likely follow, which means customers across the globe will benefit. As your bank looks to continue its digital transformation by moving existing processes to digital channels and offering a new customer experience, now is the time to follow LBP’s lead and assess your current risk. By getting the tools and processes needed to assess risk and prevent fraud, your bank can focus on its digital transformation and provide the personalized experiences that your customers expect. You can then move towards your goal of a fraud-free online experience and becoming a digitally focused bank.

Contact Elite Paradigm, LLC and get your Cybersecurity Risk Assessment, today.

Implenting-Zero-Trust-Eliteparadigm

Implementing Zero Trust

The recent Kaseya ransomware attack is yet another reminder of the voracity of the war cybercriminals are waging on the business world. In 2020, scan-and-exploit became the top initial attack vector for surveyed organizations, surpassing phishing, according to the 2021 IBM X-Force Threat Intelligence Index. The report noted manufacturing as the second-most attacked industry in 2020 for respondents. This is an increase from eighth place the year prior, and second only to financial services. 

What’s behind these attacks?

Companies have invested a great deal in building castle-and-moat protections against external threats, focusing on protecting the DMZ or perimeter zone. In a world of known threats and less sophisticated techniques, this protection model worked reasonably well. But times have changed. 

Cybercriminals can be well resourced and tenacious and even backed by nation-states. They can leverage evermore sophisticated tools, such as Ransomware-as-a-Service. These tools can be incentivized by cryptocurrencies with their strong liquidity and poor traceability. As a result, they are well positioned in the arms race against traditional perimeter defenses. Clearly, it is time to consider a zero trust approach to help protect your most valuable resource—your data.

The rise of zero trust 

The problem with the castle-and-moat model is the primary focus on external defenses. Once inside, cybercriminals can generally move freely around without much impediment and wreak havoc. This has led to a broadening of the security perspective to encompass internal security, with what is termed the zero trust model. 

The Biden administration in the United States, recently issued an Executive Order calling for advancement towards a zero trust model within the federal government and among federal contractors. Subsequently, in response to multiple high-profile ransomware attacks, the White House also issued a memo to business executives urging them to protect against the threat of the ransomware. Such a model is an “evolving set” of concepts that move beyond “defenses from static, network-based perimeters” according to the National Institute of Standard and Technology (NIST) 

What happens when a cybercriminal or organization has breached a perimeter and has access to your secure environment? Typically, they will start a stealth scan to build a map of your network. They enumerate the server they are on for all its credentials and then try those credentials on your other servers to travel laterally. Most breaches move from computer to computer over standard protocols such as SSH, FTP, SFTP, HTTP, and HTTPS. This means you need to have a strategy for restricting the spread or movement within your organization.  

Zero Trust Protects File Transfers 

At IBM, our Sterling Secure File Transfer (SFT) solution is designed to align with a zero trust approach and harden servers to help reduce the possibility for ransomware or malware to travel laterally. The aim is to protect the inside of the castle – or inside the DMZ. Ultimately safeguarding internal intellectual property and assets. A zero trust approach requires securing and regulating movement between internal computers and servers and we begin by removing untrusted protocols.  

Our SFT solution is designed to include IBM Sterling Connect:Direct which uses a security-hardened protocol. When malware reaches out internally, it will not know how to ‘talk’ to the protocol. It can also check the IP address from the server that has requested access. If that IP address is not on the internal list of trusted servers, which can be consistently updated, the receiving server automatically drops the session.  

Connect:Direct can have additional checkpoints to further help prevent the spread of malware to another server. The malware also needs the correct credentials, which can be increased for additional protection of high-value servers. Also, only files with a specified name may be transferred.  

Each server that uses Connect:Direct becomes a checkpoint – and choke point – for malware. This zero trust approach in Connect:Direct hardens infrastructure. It includes capabilities for zero trust practices for communications that can help mitigate risks of traditional protocols using FTP, SFTP and SSH. SFT can also encrypt data at rest. In transit, it provides multifactor authentication helping implement a zero trust strategy for your file transfers. 

Do you have a traditional castle-and-moat security model? I urge you to consider implementing or expanding your zero trust strategy. It will help protect what is most valuable inside of your organization. You can start small and add more protections over time. The key is to begin now because the war will continue to escalate.  

Secure-the-remote-and-hybrid-workforce

Secure the Remote and Hybrid Workforce

It’s Cybersecurity Awareness Month. So, let’s discuss a topic that has been around for a decade, but is recently gaining significant traction in business circles: zero trust. The concept of zero trust has been around since John Kindervag coined the term in 2010. Google’s internal implementation through it’s BeyondCorp team in 2011 was one of the first examples. The objective of the group was simply to allow “employees to work more securely from virtually any location.” It’s a very progressive idea given the first Android phone was launched only three years earlier. Businesses exploring zero trust have begun to implement it to help manage the flow of corporate data to mobile devices.

Today, mobile working is commonplace. Recent research by Deloitte found that 40 percent of workers use a mobile device as part of their job. The zero trust model is important for businesses that are undergoing digital transformation to enable productive mobile workflows.

Simply put, zero trust means no implied accreditation, always ensure security and only provide visibility into what you need to. Access should only be granted on a case-by-case basis per app; everything else should remain hidden. A successful, scalable and secure mobile-enabled business strategy should incorporate zero trust.

The Advent of Modern Productivity

It is no secret that businesses have embraced mobile workflows for productivity gains. These companies have embarked on continuous digital transformation to capture this latent potential within their organization. The three pillars of this productivity shift are the concepts of enablement, identity and zero trust.

Unified endpoint management (UEM) enables employees to easily use mobile devices to work wherever they are. This creates new, more productive workflows. Businesses use UEM today to push apps, password policies and email settings seamlessly to thousands of devices. It gives administrators an invisible pair of hands to remotely configure and manage the devices and apps that employees use. The ability to manage Windows 10 devices as well as mobiles has allowed companies to consolidate the configuration tools they use, leading to a rise in UEM deployments.

Identity and access management (IAM) helps by simplifying access. Users only need to remember one password. If the identity of the end user accessing data is known, single sign-on (SSO) can be provided. With the number of business apps ballooning, employees must remember an ever-increasing number of credentials and businesses need better ways to manage access. IAM removes the requirement to remember multiple login details and continuously authenticate. The technology can also act as a security tool. It provides a layer for multifactor authentication (MFA) and a single link that IT teams can limit if a breach is detected.

UEM and IAM provide some of the tools IT teams need to control how company data is managed, but both suffer from the critical flaw of implied trust. It is implied that the connection is secure and private, that the device is uncompromised by malware, and that other apps on the device are not leaking information. Mobile threat defense (MTD) acts as a third pillar to create a zero trust posture that truly enables mobile productivity.

Managing a Blurred Boundary

Although many of the opportunities for mobile digital transformation were driven by UEM and IAM, they left a gap in security posture. Businesses knew who was accessing data and through what device, but not whether the device, applications or network were secure. Organizations also struggled to discover whether a compromise had even occurred; Verizon found that 63 percent of business-related breaches were reported by third parties.

MTD can provide the insights businesses need to make informed decisions about when their data is accessed. Continuous conditional access (CCA), a method of consistently evaluating security to determine risky activity immediately, allows businesses to control how and where their data is being accessed in real time. Best-in-class MTD products are capable of providing conditional access by monitoring device, app and network threats to ensure that data being sent to a device remains secure.

Building Zero Trust With UEM, IAM and MTD

Bringing UEM, IAM and MTD services together can enable employees to use their mobile devices to securely access corporate resources. Integrating these three technologies and aligning the policies between them can also create a seamless, unified security stance. An MTD partner that can integrate with your existing services is crucial to building a strong security posture.

The CCA scanning, provided in real time by a strong MTD solution, is the glue that binds the zero trust model for secure productivity. CCA allows for dynamic risk assessment: If a device’s risk profile becomes too high at any point, preventative action can be taken. Leading MTD solutions use threat intelligence engines to monitor a number of vectors, including known and zero-day threats.

Integration with other technologies is extremely powerful once risk levels have been exceeded. After the MTD tool categorizes the risk, it can then communicate with the UEM solution to trigger a seamless, automatic response. Integration with other services such as security information and event management (SIEM) can help improve the IT team’s level of response and visibility when a risk occurs.

In the real world, the scenario may be as simple as an employee downloading an entertainment app for their commute to work. If the entertainment app contains a vulnerability, MTD is designed to detect that corporate information accessed on the device is at risk. Combining the insights gained from UEM, IAM and MTD in a single policy engine helps security and business leaders make richer, more contextual access decisions.

For example, when an MTD solution recognizes a risk, it can work with UEM to prevent access to company services from the device. Informing the employee why action has taken place gives them options to choose how to work. If the IAM system believes the user’s credentials are not compromised, the employee could continue to work from a secondary device. Or, if the main device’s risk profile can be lowered, it could become a work tool again. A single policy engine powered by the three tools can dynamically enable productivity and protection.

How Can Businesses Move to the Zero Trust Model?

The reality is that zero trust isn’t just a single product or service, and there is no industry-standard architecture. As new ways of working develop, IT teams will need to hold BeyondCorp’s mantra close to heart and allow “employees to work more securely from virtually any location.”

Using and linking UEM, IAM and MTD together can create a unified, comprehensive security policy businesses undergoing digital transformation can use today. This will help ensure that enterprise data is securely accessed by only the right users, applications and devices.

Contact Elite Paradigm LLC, today!

Get a demo of MaaS360 and Wandera to see how UEM and MTD support zero trust

Why Zero Trust

Why Zero Trust?

As a security architect within IBM Security Services, I often get asked the question, “What exactly is a Zero Trust architecture?” Well, there is no single or unique answer to that question for two reasons.

First, Zero Trust is not an architectural model but rather a set of guiding principles that should be applied to existing and new designs. With that said, these principles present a number of architectural patterns or use cases that can serve as a starting point for implementation.

Second, the implementation of Zero Trust principles results in very different technical solutions and approaches for different uses cases. For example, applying the same Zero Trust principles for an employee remote access use case would be addressed in a very different way than handling micro-services connectivity in a service mesh running on containers.

So, where does one even start and how would Zero Trust change the way security solutions are designed? To answer these questions, I propose starting at the right architectural entry point: enterprise security architecture (ESA). In this article, I’ll briefly describe how the principles of Zero Trust could be introduced at your organization through the different architectural governance levels and against ESA.

Looking at Zero Trust Architecture Through an ESA Lens

To establish an IT security governance model, most organizations define an ESA as part of a wider enterprise architecture program. In an ESA, all aspects of IT security are defined through the different stages of design. You’ll typically find the following stages: the contextual or business layer, the conceptual layer, the logical layer and the physical layer. Below I provide a summarized overview of the concepts.

Zero Trust Architecture Elite Paradigm LLC

Source: IBM Security

In addition, an ESA should address the governance of how the solutions and artifacts are maintained at the different layers like what is shown above. Security operations will need to manage the day-to-day operational risks while architecture review cycles ensure that the solution’s building blocks are identified and up to date. I’ll come back to this last topic later.

Also, the security controls of an ESA should be designed, implemented and managed at the enterprise level. A security control is typically a solution that combines your people, processes and technology. From a high-level perspective, both the actions required to mitigate identified IT risks and the actions required to ensure regulatory compliance are translated into a set of security policies that are then enforced and implemented through an extended collection of security controls. An ESA helps to define the approach of how to achieve that goal in line with business requirements.

Combining Security Architecture With a Zero Trust Governance Model

If we start applying the Zero Trust principles to security architecture, it is clear that the contextual level does not change. The regulations, risks and business drivers are not changing, but the way an organization would address these requirements might change. Therefore, implementing Zero Trust principles will start at the conceptual layer of your architecture. IBM Security’s four-tenet Zero Trust governance model could be leveraged to structure the approach (see figure below).

IBM Security Zero Trust Governance Model

Source: IBM Security

1. Define Context

Defining context is key for Zero Trust across all security domains. Here, the foundation for your Zero Trust implementation road map has to be defined. New security policies will have to be defined and existing policies might require adaptation. The use cases within the organization should be identified as soon as possible, including what kind of integrations should be established between the controls at the different layers. Integrations will be one of the major changes coming with Zero Trust implementations in the next couple of years.

The vanishing perimeter paradigm will have to result in more integration between the security controls installed at the different layers of defense. The result is consolidated insights that can be used to make the access decisions for your data dynamically (under the principle of “Always Verify”) and access is no longer solely based on static access-control lists (ACLs).

From the ESA point of view, this “Define Context” tenet is where the security policies are set. Moreover, security services are needed to support the organization’s requirements. The capabilities needed to provide the services should be compiled and the high-level solution patterns built on these capabilities will need to address the Zero Trust use cases. The new and adapted capabilities have to be defined at the technical level and then deployed. The ESA should also define how to move from architectural version N to version N+1 through a transformation road map. In the picture below, I map the IBM Zero Trust governance model to the ESA example.

Zero Trust implementation Elite Paradigm LLC

Source: IBM Security

2. Verify and Enforce

The “Verify and Enforce” tenet in the IBM governance model is where most security vendors position their Zero Trust solutions. In an ESA context, this is where the logical architectures define the required security building blocks (SBB).

Next, the logical architecture is worked out into technical designs based on the selected technologies. For example, the implementation of micro-segmentation for infrastructure in the data center will require a detailed technical design at the network layer. The role of ESA is to ensure the overall principles are followed during design and that the design goals like integration are achieved.

3. Resolve Incidents

Next comes everything related to security operations. This third tenet is called “Resolve Incidents” in IBM Security’s Zero Trust governance model. It is here where security operations are defined. This is also where security teams learn how to cope with security incidents impacting trusted connections and speed up both the detection and response for these incidents.

From my perspective, the operational architecture within ESA is the most important concept here. You could have the best security technologies available, but if they’re not properly managed by the security operations team, it won’t meet expectations and can result in failed outcomes. We all know that security maturity can’t be achieved in every layer at the same moment. To overcome this challenge, adequate security monitoring solutions and automated response measures are the best tools to overcome possible gaps in maturity.

4. Analyze and Improve

The tenet of “Analyze & Improve” is a key element of the Zero Trust governance model and it should also be a standard component of every ESA. In a rapidly evolving technology landscape, where there are accelerated product releases thanks to Agile approaches combined with automated CI/CD delivery models, an ESA should focus on the continuous improvement loop.

Implementing Zero Trust principles won’t be achieved overnight. The changes should be tested on a single use case that’s relevant to your business and the effectiveness of that implementation should be consistently measured with improvements applied in an Agile way. Once your initial use case is deemed ready, the same approach can be scaled out to other enterprisewide use cases, meaning that all activities related to “Analyze & Improve” will have to occur at an accelerated pace.

Interested in learning how you can begin your Zero Trust adoption? Learn about the steps you can take with an integrated, multi-disciplinary governance model that advances progress toward maturity.

Cybersecurity Threat And Its Impact

Understanding the Cybersecurity Threat & its Impact

Data security is on everyone’s mind these days, and for good reason. The number of successful data breaches is growing thanks to the increased attack surfaces created by more complex IT environments, widespread adoption of cloud services and the increasingly sophisticated nature of cybercriminals.

One part of this story that has remained consistent over the years is that most security breaches are preventable. Although every organization’s security challenges and goals are different, there are certain mistakes that many companies make as they begin to tackle data security. What’s worse, these mistakes are often accepted as the norm, hiding in plain sight under the guise of common practice.

Read the white paper: Five Common Data Security Pitfalls to Avoid

Five Common Data Security Pitfalls

Below are five common data security failures that, if left unchecked, could lead to unforced errors and contribute to the next major data breach.

1. Failure to Move Beyond Compliance

It is often said that compliance does not equal security, and most security professionals would agree with that statement. However, organizations often focus their limited security resources on achieving compliance and, once they receive their certifications, become complacent. As a result, many of the largest data breaches in recent years have happened in organizations that may have been fully compliant on paper.

2. Failure to Recognize the Need for Centralized Data Security

Compliance can help raise awareness of the need for data security, but without broader mandates that cover data privacy and security, organizations often forget to move past compliance and a focus on consistent, enterprise-wide data security. A typical organization today has a hybrid multicloud environment, which is constantly changing and growing. New types of data stores can appear weekly, if not daily, and greatly disperse sensitive data.

3. Failure to Assign Responsibility for the Data

Even when aware of the need for data security, many companies have no one specifically responsible for protecting sensitive data. This situation often becomes apparent during a data security or audit incident when the organization is under pressure to find out who is actually responsible.

4. Failure to Address Known Vulnerabilities

High-profile breaches in enterprises have often resulted from known vulnerabilities that went unpatched even after the release of patches. Failure to quickly patch known vulnerabilities puts your organization’s data at risk because cybercriminals actively seek these easy points of entry.

According to a recent IDC research report, organizations are struggling to manage data security across multi-cloud and hybrid environments. In fact, in a recent survey more than 37% of respondents indicated that the growing complexity of security solutions as a significant challenge, which often impedes data governance and policy enforcement.

5. Failure to Prioritize and Leverage Data Activity Monitoring

Monitoring data access and use is an essential part of any data security strategy. Organizations need to know who, how and when people are accessing data. This monitoring should encompass whether these people should have access, if that access level is correct and if it represents an elevated risk for the enterprise.

Taking Steps to Close Data Security Pitfalls

There is nothing easy about securing sensitive data to combat today’s threat landscape, but companies can take steps to ensure that they are devoting the right resources to their data protection strategy.

When starting on a data security journey, you need to size and scope your monitoring efforts to properly address the requirements and risks. This activity often involves adopting a phased approach that enables development and scaling best practices across your enterprise. Moreover, it’s critical to have conversations with key business and IT stakeholders early in the process to understand short-term and long-term business objectives.

To learn more about common data security missteps, read the white paper, “Five Common Data Security Pitfalls to Avoid.”

Grounding Cyber Resilience Eliteparadigm LLC

Grounding Cyber-Resilience in the IBM Cloud

01

Managing and securing data

The most valuable enterprise asset
is data

Data—the most valuable business asset for enterprises and their customers—must be protected from unauthorized access. Always available and secure data coupled with insightful data analytics drives business innovation, increases client satisfaction and loyalty and, more importantly, gives you a competitive edge in the marketplace.

Managing data throughout its lifecycle in compliance with business, privacy and security regulatory requirements must be the top priority in cloud environments. That is why a trusted business partner with deep expertise in security, privacy and cloud deployments is critical. IBM has successfully helped customers migrate to the cloud by using extensive industry-specific products and services backed by more than 2,500 cloud technology patents granted to IBM.

The nature of global cloud computing means that the physical location of data is very relevant and is becoming more significant every day. Business transactions occur across international borders every second. Big data created in one region gets stored, processed and accessed from other regions across international borders. End users, clients and business partners using your data may be accessing it from all over the globe.

The performance of cloud workloads is proportionate to the user’s distance from the data center where your data is housed.

The performance of cloud workloads is proportionate to the user’s distance from the data center your data is housed. This is also true for cloud providers whom are expected to ensure your data moves efficiently with minimal latency around the globe. Knowing this, IBM has invested heavily in building, maintaining and growing an agile global cloud network backbone that transports public and private traffic around the globe to help ensure an exceptional customer experience.

02

Data location matters

The location of data is often given little attention, but it matters

Organizations often migrate business workloads to the cloud so that data is always available and delivered quickly and reliably to customers around the world. The actual location of data is often given little attention due to lack of clarity about concepts such as universal accessibility, guaranteed uptime service level agreements (SLAs) and high-speed network connectivity. Overlooking your data’s physical location can lead to slow uploads and downloads, unsatisfactory delays in service, a reduction in productivity and loss of customers and business. More importantly, where data resides plays an instrumental role in protecting privacy and meeting the regulatory requirements for data protection.

While the cloud delivers infrastructure as a service (IaaS), data stored on the cloud resides on physical storage devices and data in transit traverses physical networks too. Even data used by your cloud applications—data in use—needs to be secured. IBM Cloud® provides built-in security solutions designed to protect data throughout its lifecycle.

When looking at the potential performance of global networks, it is customary to use the speed of light in fiber to estimate optimal potential response times as measured in return trip time (RTT).

Cloud workloads require an infrastructure that is agile, secure, responsive and has a local presence on a global scale. IBM understands these business cloud needs and as a response has invested in a global network that offers more than 60 data centers, six multizone regions and six continents. IBM’s cloud network keeps application workloads and data secure in data centers that are compliant with regulatory requirements. IBM’s data security addresses data at rest, in transit and in use. IBM Cloud offers IBM Key Protect offering benefits like bring your own keys (BYOK) and IBM Cloud Hyper Protect Crypto Services enabling you to keep your own keys (KYOK) for cloud data encryption.

IBM Key Protect (BYOK)

IBM Key Protect is a multi-tenant key management service (KMS) with key vaulting provided by IBM-controlled FIPS 140-2 Level 3 Hardware Security Modules. With Key Protect, customers bring their own keys (BYOK) to the cloud and manage the keys themselves. IBM values the security and privacy of our customers’ data, so we also provide operational assurance that IBM will not access the keys.

IBM Cloud Hyper Protect Crypto Services (KYOK)

IBM Cloud Hyper Protect Crypto Services offers two-in-one—KMS with built-in Hardware Security Module (HSM). The offer is a single-tenant Key Management Service with key vaulting provided by customer-controlled FIPS 140-2 Level 4 HSMs —the highest available certification. With Hyper Protect Crypto Services, customers KYOKs protected by the HSMs they control and manage. The implementation provides technical assurance that IBM cannot access the keys.

Customer scenario

The ideal situation for enterprises is to deploy cloud workloads in proximity to their customers for optimal response time. Today’s global digital economy means that most enterprises conduct business around the globe and need to ensure that customers, regardless of their location, have pleasant business experiences. For the best experience, the global presence of IBM Cloud affords the opportunity for organizations to deploy their workloads in several locations that are close to their worldwide customer base.

Let’s look at a global business that is based in San Jose, CA with customers in Paris, France and Singapore. The ideal situation for this business is to have workloads deployed as close to these locations—if not directly in these cities—as possible. Alternatively, the business could choose a less optimal solution by deploying workloads in San Jose only; thus giving customers in Paris similar, delayed response times as those in Singapore. With its expansive network, multizone region capabilities and high-speed infrastructure, IBM Cloud is designed to enable businesses to serve global customers in a secure, fast and timely manner.

03

IBM Cloud global data centers

Protect and deliver services to customers worldwide

IBM Cloud data centers and network points of presence (PoPs) are connected to a global network backbone, which carries public, private and management traffic to and from servers. This global network boasts more than 2,600 Gbps of connectivity between data centers and network PoPs with up to 20 TB of no-cost outbound bandwidth (egress traffic). Additionally, the network PoPs have more than 2,500 Gbps of transit and peering connectivity to the Internet. When accessing an IBM Cloud server, the network is designed to bring you onto the IBM global backbone quickly at one of the network PoPs. Clients and end users may experience fewer hops and a more direct route that IBM Cloud controls. When a user requests data from an IBM Cloud server, that data travels to the nearest network PoP where it is handed off to another provider to carry the data the remaining distance.

Global data center locations Elite Paradigm LLC

04

Move data securely and quickly

Move files and data sets of any type and size reliably and at maximum speed

Ensuring your data is secure and protected during a migration and throughout its lifecycle is a critical priority. IBM Cloud uses the same software technology and expertise from on-premises infrastructure making the move to cloud more streamlined and secure. Two examples of this technology are IBM Aspera® on Cloud and IBM Cloud VPC.

IBM Aspera on Cloud

When utilizing IBM Aspera on Cloud, enterprises can move files and data sets of any type and size reliably at maximum speed regardless of network conditions. Aspera on Cloud uses the patented network-optimized proprietary protocol Fast and Secure Protocol (FASP) to securely move data at speeds that often exceed one hundred times the speed delivered by Transmission Control Protocol (TCP). Data transfers using FASP are encrypted for securing your data at rest and in transit. This solution is designed for quick, reliable and secure movement of large files and data sets between clouds and on-premises resources.

IBM Cloud Virtual Private Cloud

Build cloud native 3-tier applications on IBM Cloud Virtual Private Cloud (VPC), which offers a protected space in IBM Cloud with the advanced security of a private cloud and the agility and ease of public cloud. This allows you to control virtual networks in logically isolated segments to quickly deploy and manage compute, storage and networking cloud resources. IBM Cloud VPC adds to the security capabilities of the IBM Cloud and creates more secure environments for application workloads and data through the use of security groups and access control lists.

To ensure enterprise workloads and cloud-native applications are continuously available, IBM Cloud has multi-zone regions (MZR) comprised of three availability zones per MZR with added fault tolerance that can be leveraged by building workloads using multiple subnets within a single VPC. In addition, IBM Cloud Virtual Server for VPC offers an excellent solution for network-intensive applications, simulations or in-memory caching with general purpose profiles that provide up to 80 Gpbs of network performance.

Multi-zone regions and availability zones

IBM Cloud offers a constantly expanding global footprint to help ensure you’re meeting your customers where they are. Our IBM Cloud multizone regions (MZRs) have three or more data centers within six miles of each other. These data centers are located in close proximity to ensure high availability and resiliency. They offer a full and consistent set of services to support your enterprise-class workload needs. MZRs include the full IBM Watson® and cloud stack (IaaS, CaaS, PaaS, cognitive and data) and are connected to two POPs to help provide maximum POP resiliency. High-speed metro-area interconnects allow applications to have less than 2 millisecond latency in cross-zone communications. IBM Cloud services, such as cloud object storage, containers, API and de-identify data under applicable permissions, are regionally aware and take advantage of this solution to ease the burden on the application provider.

Deploy workloads in over 46 data centers across 9 regions and 27 availability zones globally.

IBM Cloud multi-zone region (MZR)

Diagram of IBM Cloud multi-zone region showing connected availability zones and points of presence Elite Paradigm LLC

05

Our responsibility to you

Cloud providers must be committed to the security and privacy of their clients’ data

Data is the most valuable business asset of our time. It’s the world’s new natural resource, growing exponentially not only in quantity but more importantly, form and value. Every action and interaction, every decision and relationship, every event occurring in any of the world’s complex systems, is now expressed as data. This profound shift is compelling enterprises to adopt new technologies and business architectures based on cloud; and new business processes, skills and forms of engagement. In the rush to harness potential business value from data, cloud providers mustn’t lose sight of basic expectations that individuals, enterprises and communities rightly have regarding security, trust, privacy, jobs, skills–and, increasingly–the data they own or that is collected from them.

Data ownership and privacy

IBM believes that the unique insights derived from our clients’ data are their competitive advantage, and we do not share them without clients’ explicit agreement. We employ security practices to help safeguard data, including the use of encryption, access control methodologies and proprietary consent management modules, which allow us to restrict access to authorized users.

We advocate for strong and innovative means to enhance privacy and data protection, and we will continue to invest in privacy enhancing technologies. We were an early adopter to the European Union (EU) Data Protection Code of Conduct for Cloud Service Providers for several IBM Cloud services and offerings—securing certification under the US-EU Privacy Offerings and the APEC Cross-Border Privacy Rules. IBM was the first cloud provider to deliver hyper data protection and commit to the EU’s General Data Protection Regulation (GDPR) compliance. IBM Cloud is GDPR compliant.

Data flows and access

Protecting the privacy of your data, which is fundamental in our data-driven society, is something that IBM appreciates and is fully committed to. We’ve made significant investments in our cloud data centers around the globe to give clients the flexibility to decide where to store and process their data. We believe these decisions generally should be driven by client choice rather than government mandate.

Data security and trust

IBM Cloud employs security practices and technologies to help safeguard workloads and data. On the IBM Cloud, data is protected while at rest, in transit and in use. We’re poised at the forefront of applying artificial intelligence capabilities to stay steps ahead of emerging digital threats. We do not put “backdoors” in our products for any government agency, nor do we provide source code or encryption keys to any government agency. You are the only party that would own your encryption keys and not even IBM would have access to those keys. IBM Cloud security builds on IBM’s heritage of providing proven in-the-field tested security solutions used by thousands of enterprises worldwide.