| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2023-02-16 |
security controls, platform security, compliance, penetration testing |
overview |
{{site.data.keyword.attribute-definition-list}}
{: #security}
Designed with secure engineering practices, the {{site.data.keyword.cloud}} platform provides layered security controls across network and infrastructure. {{site.data.keyword.cloud_notm}} focuses on protection across the entirety of the compute lifecycle, which includes everything from the build process and key management to the security of data services. {{site.data.keyword.cloud_notm}} also provides a group of security services that can be used by application developers to secure their mobile and web apps. These elements combine to make IBM Cloud a platform with clear choices for secure application development. {: shortdesc}
In addition to our own diligence in creating and operating a secure cloud, {{site.data.keyword.IBM}} also engages many different firms to assess the security and compliance of our cloud platform. For more information, see {{site.data.keyword.cloud_notm}} compliance programs for a detailed list of certifications and attestations.
{{site.data.keyword.cloud_notm}} ensures security readiness by adhering to security policies that are driven by best practices in {{site.data.keyword.IBM_notm}} for systems, networking, and secure engineering. These policies include practices such as source code scanning, dynamic scanning, threat modeling, and penetration testing. {{site.data.keyword.cloud_notm}} follows the {{site.data.keyword.IBM_notm}} Product Security Incident Response Team (PSIRT) process for security incident management. See the {{site.data.keyword.IBM_notm}} Security Vulnerability Management (PSIRT){: external} site for details.
In addition to the regular penetration testing conducted by {{site.data.keyword.IBM_notm}} and our partners, customers may conduct penetration testing of their VPC or Classic Infrastructure resources on {{site.data.keyword.cloud_notm}}. Prior authorization to do so is not required by {{site.data.keyword.cloud_notm}}. {{site.data.keyword.cloud_notm}} customers under an active NDA can request a copy of a penetration testing executive summary by opening a support case.
For more details about security for your applications and environments in {{site.data.keyword.Bluemix_notm}}, see Security architecture for cloud applications{: external}.