Public Cloud Global

Zero-trust security model in IBM cloud

By Michel Roukos posted Sun January 10, 2021 06:44 PM


Zero-trust is assuming security breaches will happen on each layer of a deployment: Internet, identity and access management, network, and encryption, just to name a few. Existing cloud applications rely as well on containers and the infrastructure use multi and hybrid cloud. So how will cloud clients manage and monitor the security controls and potential vulnerabilities?

IBM Cloud, at its core, combines open and secure cloud. IBM offers an open cloud with primarily the acquisition of Redhat and its prevailing Openshift offering. IBM is a key contributor to open-source projects such as Istio (to connect, secure, control and observe microservices at scale) and Razee (to enable multi-cluster continuous delivery for Kubernetes)

On the security aspects, IBM utilises Security and Privacy By-Design (SPbD@IBM) in developing products. More on this methodology is available online IBM cloud is no exception. We take security and privacy at heart. With that said, the shared responsibility matrix shows the RACI where clients and the cloud provider share together the responsibility on cloud. Clients have their share of responsibility and the good news is that tools to secure cloud are available. So let’s talk more on the zero-trust model in the Cloud.

Zero-trust is a security approach that basically reflects a sceptical mind in every layer of the cloud deployment. So, peeling the layers one after the other, client bootstraps security with defence in-depth. How do we do that? We start from outside layer to the inside.

  1. Identity and Access management: Accounts management (including applications Service IDs), roles and policies. In addition to MFA (Multi-factor authentication), IBM cloud provides API keys to authenticate users and service IDs with an API or CLI.
  2. Network security: VPCs, firewalls vSRX, security groups, and other components (gateways, proxies,…) to control the network flows ingress and egress the cloud perimeter
  3. Encryption: Clients should be using HPCS to protect the key management using KYOK built on LinuxONE and certified by FIPS 140-2 Level 4. Once client uses HPCS, even IBM cloud admins cannot have access to the keys that encrypt and decrypt the data. No cloud vendor provides this level of guarantee. The key used for all cryptographic operations such as TLS handshakes cannot be compromised and therefore IBM virtually eliminates man-in-the-middle and impersonation attacks.

IBM cloud clients can combine above controls and layers to augment and tighten security. A ready-made example product is presented in the IBM portal as VMware regulated workload. The security reference architecture combines features such as security isolation and separation, access restrictions, security and network policies, key management using KYOK, continuous compliance, and backup/DR