Skip to main content
IBM CloudSecurityadvanced

IBM Cloud Security & Compliance

Secure IBM Cloud with SCC, Key Protect, Hyper Protect, Secrets Manager, Activity Tracker, and Financial Services Cloud framework.

CloudToolStack Team26 min readPublished Mar 14, 2026

Prerequisites

  • Understanding of cloud security and compliance concepts
  • IBM Cloud account with security service permissions

IBM Cloud Security and Compliance

IBM Cloud is designed from the ground up for regulated industries, offering one of the most comprehensive security and compliance ecosystems among cloud providers. The IBM Cloud for Financial Services reference architecture, Hyper Protect confidential computing services, and the Security and Compliance Center (SCC) provide enterprises with the tools to meet stringent regulatory requirements including SOC 2, PCI DSS, HIPAA, GDPR, FedRAMP, and industry-specific frameworks.

IBM's security philosophy is based on defense in depth, applying security controls at every layer: identity (IAM, MFA, federation), network (VPC, security groups, context-based restrictions), data (encryption at rest and in transit, Key Protect, HPCS), application (container scanning, code signing), and operations (Activity Tracker, SCC, SIEM integration). This guide covers the key security services and best practices for building a secure IBM Cloud environment.

Security and Compliance Center (SCC)

IBM Cloud Security and Compliance Center continuously evaluates your IBM Cloud configuration against compliance profiles and security best practices. SCC scans your resources, identifies compliance violations, and provides remediation guidance. Unlike manual compliance audits that happen quarterly or annually, SCC provides continuous compliance monitoring with configurable scan schedules.

Compliance Profiles

SCC includes predefined profiles for common compliance frameworks:

  • IBM Cloud for Financial Services: 300+ controls designed for regulated financial institutions, covering data protection, access management, network security, and operational resilience.
  • CIS IBM Cloud Foundations Benchmark: Center for Internet Security benchmark with security configuration guidelines for IBM Cloud services.
  • SOC 2: Controls mapped to the AICPA SOC 2 Trust Services Criteria.
  • PCI DSS: Payment Card Industry Data Security Standard controls.
  • NIST 800-53: US government security and privacy controls.
bash
# List available profiles
ibmcloud scc profile list

# Create a custom profile based on FS Cloud
ibmcloud scc profile create \
  --profile-name "prod-fs-cloud" \
  --profile-description "Production Financial Services profile" \
  --base-profile "IBM Cloud for Financial Services v1.6.0"

# Create an attachment to scan resources
ibmcloud scc attachment create \
  --profile-id <profile-id> \
  --name "prod-scan" \
  --scope-type "account" \
  --schedule "every_30_days"

# View scan results
ibmcloud scc scan list

Key Protect

IBM Key Protect is a managed key management service (KMS) that enables you to create, import, and manage encryption keys for IBM Cloud services. Key Protect uses FIPS 140-2 Level 3 certified hardware security modules (HSMs) to protect your keys, providing a balance between security and operational simplicity.

bash
# Create a Key Protect instance
ibmcloud resource service-instance-create my-kp \
  kms tiered-pricing us-south

# Create a root key
ibmcloud kp key create my-root-key \
  --instance-id <kp-instance-id>

# List keys
ibmcloud kp keys --instance-id <kp-instance-id>

# Enable key rotation (every 90 days)
ibmcloud kp key rotation-policy-set <key-id> \
  --instance-id <kp-instance-id> \
  --rotation-interval 3

Key Protect vs Hyper Protect Crypto Services

Key Protect stores keys in shared multi-tenant HSMs (FIPS 140-2 Level 3). Hyper Protect Crypto Services (HPCS) provides a dedicated, single-tenant HSM (FIPS 140-2 Level 4) with Keep Your Own Key (KYOK) capability. Use HPCS when your compliance requirements mandate exclusive control over the HSM hardware, such as in banking and government applications. Key Protect is suitable for most other regulated workloads.

Hyper Protect Services

IBM Hyper Protect services leverage IBM LinuxONE hardware with secure enclaves to provide confidential computing — processing data while it is encrypted in memory, preventing even IBM operators from accessing your data. The Hyper Protect family includes:

  • Hyper Protect Crypto Services (HPCS): Dedicated FIPS 140-2 Level 4 HSM with Keep Your Own Key. You initialize the HSM with your own master key and IBM never has access to your key material.
  • Hyper Protect Virtual Servers: Deploy workloads in secure enclaves on LinuxONE hardware where the entire server memory is encrypted and inaccessible to administrators, cloud operators, and even IBM.
  • Hyper Protect DBaaS: Fully managed PostgreSQL and MongoDB databases running in secure enclaves with data encrypted at all times — at rest, in transit, and in use.

Secrets Manager

IBM Cloud Secrets Manager provides centralized storage and lifecycle management for application secrets including API keys, database credentials, TLS certificates, and arbitrary key-value secrets. Secrets Manager integrates with Key Protect or HPCS for envelope encryption and provides automatic secret rotation.

bash
# Create a Secrets Manager instance
ibmcloud resource service-instance-create my-sm \
  secrets-manager standard us-south

# Create a secret group
ibmcloud secrets-manager secret-group-create \
  --name "production" \
  --description "Production secrets"

# Create an arbitrary secret
ibmcloud secrets-manager secret-create \
  --secret-type arbitrary \
  --name "db-password" \
  --payload "super-secure-password" \
  --secret-group-id <group-id>

# Create an IAM credentials secret (auto-rotating API key)
ibmcloud secrets-manager secret-create \
  --secret-type iam_credentials \
  --name "app-api-key" \
  --service-id <service-id> \
  --ttl "24h" \
  --reuse-api-key false

Activity Tracker

IBM Cloud Activity Tracker records all management-plane and data-plane events across your IBM Cloud account. Every API call to IBM Cloud services is logged with details including the caller identity, timestamp, action performed, target resource, and outcome. Activity Tracker is essential for security incident investigation, compliance auditing, and operational troubleshooting.

bash
# Create an Activity Tracker route to COS
ibmcloud atracker route create \
  --name "all-events-to-cos" \
  --rules '[{"target_ids": ["<cos-target-id>"], "locations": ["us-south", "global"]}]'

# Create a COS target
ibmcloud atracker target create \
  --name "cos-audit-target" \
  --type cloud-object-storage \
  --target-crn <cos-crn> \
  --bucket audit-events \
  --service-to-service-enabled true

Network Security

Context-Based Restrictions (CBR)

Context-based restrictions add network-level access control on top of IAM policies. CBR rules restrict API access to services based on the originating network context, ensuring that even valid credentials cannot access sensitive services from unauthorized locations.

Virtual Private Endpoints (VPE)

VPE gateways ensure that traffic between your VPC and IBM Cloud services stays on the IBM private network, never traversing the public internet. Enable VPE for all security-sensitive services including Key Protect, Secrets Manager, and databases.

Container Security

For Kubernetes and OpenShift workloads, IBM Cloud provides multiple security controls:

  • Container Registry Vulnerability Advisor: Automatic scanning of container images for known CVEs and CIS benchmark violations.
  • Image Signing: Sign container images with Notary v2 to ensure only trusted images are deployed.
  • Pod Security Admission: Enforce pod security standards at the namespace level.
  • Network Policies: Micro-segmentation of pod traffic using Calico network policies.
  • Secrets Management: Integration with IBM Secrets Manager for secure credential injection.

IBM Cloud for Financial Services

IBM Cloud for Financial Services is a reference architecture and compliance framework designed specifically for banks, insurance companies, and financial technology firms. It provides a validated set of IBM Cloud services, configurations, and controls that meet the requirements of financial regulators worldwide.

Key components include:

  • Pre-validated reference architectures for common banking workloads.
  • 300+ compliance controls mapped to financial regulations.
  • Continuous compliance monitoring through SCC with the FS Cloud profile.
  • A partner ecosystem of validated third-party applications.
  • Dedicated support from IBM Financial Services Cloud team.

Shared Responsibility

IBM Cloud security follows a shared responsibility model. IBM is responsible for the security of the cloud (physical infrastructure, hypervisor, managed control planes), while you are responsible for security in the cloud (IAM configuration, encryption key management, network security rules, application security, and data classification). Understanding this boundary is essential for compliance.

Security Best Practices Summary

  • Enable MFA for all users and enforce it at the account level.
  • Use access groups for all access management; follow least privilege.
  • Encrypt all data at rest with customer-managed keys (Key Protect or HPCS).
  • Enable Activity Tracker for all management and data events; archive to COS.
  • Use SCC with an appropriate compliance profile for continuous monitoring.
  • Implement context-based restrictions for sensitive services.
  • Access all services through private endpoints (VPE) from VPCs.
  • Rotate API keys and secrets regularly using Secrets Manager.
  • Scan container images for vulnerabilities before deployment.
  • Use Hyper Protect services for the most sensitive workloads.
  • Regularly review and audit IAM policies and access patterns.
  • Implement network segmentation with VPC security groups and network ACLs.

Key Takeaways

  1. 1SCC provides continuous compliance monitoring against predefined profiles including FS Cloud and CIS benchmarks.
  2. 2Key Protect (FIPS 140-2 Level 3) suits most regulated workloads; HPCS (Level 4) provides dedicated HSMs with KYOK.
  3. 3Hyper Protect services offer confidential computing where data is encrypted even in memory during processing.
  4. 4Activity Tracker logs all API calls across the account for security investigation and compliance auditing.

Frequently Asked Questions

What is IBM Cloud for Financial Services?
IBM Cloud for Financial Services is a reference architecture and compliance framework with 300+ controls designed for regulated financial institutions. It includes validated service configurations, continuous compliance monitoring through SCC, and a partner ecosystem. It helps banks and fintech companies meet regulatory requirements from FFIEC, PRA, MAS, and other financial regulators.
What is the difference between Key Protect and HPCS?
Key Protect stores keys in shared multi-tenant HSMs (FIPS 140-2 Level 3). Hyper Protect Crypto Services (HPCS) provides dedicated single-tenant HSMs (FIPS 140-2 Level 4) where you initialize the master key and IBM never has access. HPCS costs significantly more but is required when regulations mandate exclusive control over cryptographic hardware.

Written by CloudToolStack Team

Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.

Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.