All Research
Executive View
IBM Security and Compliance Center represents a fresh approach toward the very notion of security and compliance in multi-cloud environments. With this product that unifies a full-featured CNAPP platform and a declarative compliance framework developed together with financial industry professionals, IBM aims to deliver a solution that multiple stakeholders within an enterprise can own and operate together, not just improving coverage and efficiency, but establishing it as a single cross-team collaboration place for all security and regulatory issues.

1 Introduction

Modern digital business is simply impossible without the cloud. Just like banks have served as a catalyst for the industrial revolution, cloud service providers (CSP) have become a major enabler for Digital Transformation. Organizations in any industry or geography rely on the cloud to expand their digital initiatives to an unprecedented scale without the need for massive capital expenditure and the burden of managing their own on-premises infrastructures. Cloud services help businesses bring their services to a much broader customer base, improve the efficiency of their processes with analytics and AI, and enable entirely new kinds of cloud-native applications to be developed quickly and efficiently.

The choice of services that modern cloud providers are offering is staggering, and yet most organizations are not content with using just one or even ready to fully commit to a 100% cloud architecture. Most enterprises now have a multi-cloud hybrid strategy for strong operational resiliency, minimizing concentration risk, and containing overall IT security and compliance risks. And yet, governance and compliance across such complex, heterogeneous environments remain a top challenge despite a plethora of various cloud security tools currently available on the market.

To a degree, this can be attributed to the dynamic and often ephemeral nature of cloud resources, which require an entirely new approach to operating security and governance controls at the speed and the scale of modern clouds. Those controls are also usually proprietary and incompatible across CSPs. On the other hand, the responsibility for security and compliance is shared between cloud customers and providers: thus, organizations remain responsible for regulatory compliance for cloud data, even though they no longer have direct control over the underlying infrastructure. With SaaS applications, the degree of customer supervision is even lower.

However, even enterprises fully staffed with security and compliance experts are often failing to keep up with the multi-cloud challenges, to say nothing about smaller organizations lacking the required skills and budgets. This is clearly seen in the growing number of both the number of cyberattacks targeting clouds and the average cost of a single data breach. For most businesses, this poses a major obstacle in their journey towards successful modernization.

One of the reasons for this is simply because various stakeholders within these organizations, such as developers, data scientists, cloud operations, security, or compliance teams, still tend to focus on their own goals and issues without sufficient cross-team collaboration and lack a common organizational and technology framework. This often leads to inefficient spending on a multitude of disparate security tools, constantly struggling to keep up with the quickly changing regulatory landscape, and leaving wide gaps and blind spots in the ever-growing enterprise IT environments.

Nowadays, vendors are often talking about cloud security platforms as integrated solutions offering the entire range of security and compliance controls. While this is definitely a welcome development compared to the existing “alphabet soup” of specialized security acronyms, it is important to understand that just packaging those tools together does not make them operate in accord, providing a single pane of glass across all existing IT environments.

To be able to achieve that, a platform must have a much more abstract and extensible framework that defines processes, workflows, policies, and guidelines. Only this approach can ensure that all stakeholders speak the same basic language in their cross-team communication and thus benefit from shared risk models, compliance policies, and security analytics that do not leave any gaps in coverage. At the same time, this foundation must be both universal to support any kind of customer and tailored specifically to requirements and regulations of certain industry verticals.

With a lot of high-level abstraction of such a framework, it also must be able to translate unified declarative policies into technical specifics of various native controls across multiple cloud service stacks – dynamically, automatically, and at scale. This is only possible with a high degree of automation and orchestration that extends to a broad range of third-party applications and APIs, and not just for security controls like existing SOAR (Security Orchestration, Automation and Response) solutions, but for compliance as well.

In a sense, this is how, according to many industry experts, compliance is supposed to be done right. Not as a yearly checklist to satisfy an auditor, but as a continuous process that normalizes multi-cloud controls and policies to unite security, risk management and compliance through intelligent automation and industry best practices. But do such solutions even exist?

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use