IBM Cloud Docs
Security and compliance

Security and compliance

Protection against unauthorized access

IBM Cloud® Databases for Redis use the following methods to protect data in transit or in storage.

  • All Databases for Redis connections use TLS/SSL encryption for data in transit. The current supported version of this encryption is TLS 1.2.
  • Access to the Account, Management Console UI, and API is secured via Identity and Access Management (IAM).
  • Access to the database is secured through the standard access controls provided by the database. These access controls are configured to require valid database-level credentials that are obtainable only through prior access to the database or through our Management Console UI or API.
  • All Databases for Redis storage is provided on storage encrypted with LUKS using AES-256. The default keys are managed by Key Protect. Bring-your-own-key (BYOK) for encryption is also available through Key Protect Integration.
  • Context-based restrictions - Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for their resources based on the context of access requests.
  • Isolated Compute - Isolated Compute is a secure single-tenant offering for complex, highly-performant enterprise workloads. By placing your deployment and all associated user-data management agents on an isolated machine, Cloud Databases Isolated Compute provides dedicated computing resources, dedicated storage bandwidth, and hypervisor-level isolation.
  • Public and Private Networking - Databases for Redis is integrated with Service Endpoints. You can select whether to use connections over the public network, the IBM Cloud internal network, or both.
  • Dedicated Cores - Allocating dedicated cores to your deployment introduces hypervisor-level isolation to your database instance, using isolated virtual machines to ensure your data processing remains separated from other customers. It also provides a guaranteed minimum number of CPUs to your deployment. Deployments with dedicated cores in the same Resource Group and IBM Cloud Region may share a virtual machine.
  • IP allowlisting (deprecated) - All deployments support allowlisting IP addresses to restrict access to the service.

Data resilience

  • Backups for your deployment are included, unless you configure Redis as a cache. The Databases for Redis backups reside in IBM Cloud Object Storage and are also encrypted.
  • All Databases for Redis deployments are configured with replication to provide both data resilience and high-availability. Deployments contain a cluster with two data members in a primary/replica configuration and state is managed with a quorum of three Redis sentinels.
  • If you deploy to an IBM Cloud Single-Zone Region (SZR), each database node resides on a different host in the data center.
  • If you deploy to an IBM Cloud Multi-Zone Region (MZR), the nodes are spread over the region's availability zone locations.

Compliance certifications

SOC 2 Type 2 certification

IBM provides a Service Organization Controls (SOC) 2 Type 2 report for Databases for Redis. The reports evaluate IBM's operational controls according to the criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for service providers such as IBM Cloud to safeguard their customers' data and information.

You can request an SOC 2 Type 2 report from the customer portal or contact your sales representative. Alternatively, you can open a support ticket with IBM Cloud support

ISO 27017, ISO 27018

Databases for Redis conforms to the guidelines for information security controls applicable to the provision and use of cloud services that are defined in ISO 27017 and ISO 27018.

General Data Protection Regulation (GDPR)

If you have an account with IBM Cloud, your personal data is held by IBM Cloud. The IBM Data Processing Addendum (DPA) applies to the processing of client's personal data by IBM on behalf of client in order to provide IBM standard services.
IBM DPA

Databases for Redis processes limited client Personal Information (PI) in the course of running the service and optimizing the user experience.

Databases for Redis provides a Data Sheet Addendum (DSA) with its policies as a Data Processor regarding content and data protection.

HIPAA

Databases for Redis meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164. HIPAA must be requested at the time of provisioning and requires a representative to sign a Business Associate Addendum (BAA) agreement with IBM.

PCI DSS

Databases for Redis are compliant with the Payment Card Industry Data Security Standard (PCI DSS). IBM Cloud completes annual PCI DSS assessments by using an approved Qualified Security Assessor (QSA), and the resulting Attestations of Compliance (AOCs) and Service Responsibility Matrix (SRM) guides are available upon customer request. Auditors reviewed Databases for Redis for compliance under PCI DSS version 3.2.1 at Service Provider Level 1.

Customers are responsible for the storing, processing, and transmission of their cardholder data, and can create cardholder data environments (CDEs) that can store, transmit, or process cardholder data by using Databases for Redis. Customers can request and use the IBM Cloud AOCs and SRM guides when they seek their own PCI DSS certifications. It is the responsibility of the customer to document and operate CDEs and applications that are built by using IBM Cloud Platform services in a PCI DSS-compliant manner.

It is the customer’s responsibility to familiarize themselves with these processes and to manage data retention and removal from the service according to the customer’s policies.

A full list of PCI DSS-ready IBM Cloud Platform services, and options to request a PCI DSS AOC and SRM guide, can be found at the IBM Cloud compliance page.

Terms