| copyright |
|
||
|---|---|---|---|
| lastupdated | 2021-05-06 | ||
| keywords | security controls, platform security, compliance, penetration testing | ||
| subcollection | overview |
{:external: target="_blank" .external} {:shortdesc: .shortdesc} {:screen: .screen} {:codeblock: .codeblock} {:pre: .pre} {:tip: .tip} {:note: .note} {:important: .important}
{: #security}
Designed with secure engineering practices, the {{site.data.keyword.cloud}} platform provides layered security controls across network and infrastructure. {{site.data.keyword.cloud_notm}} focuses on protection across the entirety of the compute lifecycle, which includes everything from the build process and key management to the security of data services. {{site.data.keyword.cloud_notm}} also provides a group of security services that can be used by application developers to secure their mobile and web apps. These elements combine to make IBM Cloud a platform with clear choices for secure application development. {: shortdesc}
In addition to our own diligence in creating and operating a secure cloud, {{site.data.keyword.IBM}} also engages many different firms to assess the security and compliance of our cloud platform. For more information, see {{site.data.keyword.cloud_notm}} compliance programs for a detailed list of certifications and attestations.
{{site.data.keyword.cloud_notm}} ensures security readiness by adhering to security policies that are driven by best practices in {{site.data.keyword.IBM_notm}} for systems, networking, and secure engineering. These policies include practices such as source code scanning, dynamic scanning, threat modeling, and penetration testing. {{site.data.keyword.cloud_notm}} follows the {{site.data.keyword.IBM_notm}} Product Security Incident Response Team (PSIRT) process for security incident management. See the {{site.data.keyword.IBM_notm}} Security Vulnerability Management (PSIRT){: external} site for details.
In addition to the regular penetration testing conducted by {{site.data.keyword.IBM_notm}} and our partners, customers can conduct their own penetration testing of their resources on {{site.data.keyword.cloud_notm}}. No permission is necessary from {{site.data.keyword.cloud_notm}} for penetration testing of IP addresses allocated to your classic infrastructure account that is set up on classic virtual or bare metal servers. {{site.data.keyword.cloud_notm}} customers under an active NDA can request a copy of a penetration testing report by opening a support case.
For more details about security for your applications and environments in {{site.data.keyword.Bluemix_notm}}, see Security architecture for cloud applications{: external}.