Achieving continuous compliance as an enterprise

With continuous security and compliance at the core of IBM Cloud®'s platform, you can find compliant-by-default infrastructure for hosting your regulated workloads in the cloud. From deployable architectures for secure infrastructure and DevSecOps pipelines to continuous validation through IBM Cloud Security and Compliance Center Workload Protection, you can be sure that your organization is secure and compliant through every stage of development.

Reviewing available policies

As a regulated business, there are specific standards that apply to your industry that you need to prove compliance to. In Workload Protection, you can view the pre-defined policies that are offered by IBM® that can meet your requirements. For example, if you are a financial institution, you might want to use the IBM Cloud for Financial Services library. If you don't see the set of policies that you are looking for, you can always create a custom policy.

During your investigation phase, you might also want to review the available infrastructure deployable architectures in the catalog. IBM Cloud has created automation for the deployment of common architectural patterns that combine one or more cloud resources and designed for easy scalability and modularity. You can review the components of the architecture and the level of compliance each deployable architecture meets by reviewing the details directly in the catalog detail pages, and you can customize these architectures to meet your exact needs.

IBM Cloud catalog showing deployable architecture tiles

Deploying your infrastructure and applications

Now that you've evaluated what is available to you on IBM Cloud and you know what needs to be customized or what can be used as is, it's time to start working! The engineers on your teams can start by getting your infrastructure and application workloads ready to deploy.

Your team can use projects to help organize your enterprise deployments and ensure that commit checks, vulnerability scans, and cost estimations are completed as deployable architectures are configured. Within the context of a project, you can easily deploy infrastructure resources from approved, compliant IBM Cloud or private catalog offerings by using a deployable architecture. By using a predefined deployable architecture, you can be sure that you are meeting the compliance standards that the architecture is associated with. Or, you can onboard your own and specify the policies within Workload Protection that your architecture is compliant with.

Before you deploy an architecture, a validation check is run on your configuration for both compliance and risk so that you can address any issues that are found. You can view the logs through the IBM Cloud® Schematics service to determine which resources are affected and consider whether to fix or override the flagged issue and move on.

After your infrastructure is deployed and your DevSecOps toolchains are configured, you're ready to deploy your app by using the DevSecOps continuous integration and continuous deployment pipelines. These pipelines can help your enterprise to shift left and reduce the possibility of human error or introduction of new vulnerabilities before code ever reaches production to help mitigate any major security or financial risks.

A visual representation of a process that includes continuous integration, deployment, and compliance. — Continuous integration, deployment, and compliance

Staying compliant

After you deploy resources that you know are compliant, you can ensure that you remain compliant in two ways. First, by validating your resource configurations with Workload Protection. Workload Protection scans your configurations of the resources in your zones once daily to ensure that there hasn't been a drift in compliance. For more information, go to Analyzing compliance postures from detection to remediation.

Second, you can ensure that you're deploying your code by using DevSecOps pipelines. When you use the continuous compliance toolchain, scans are reexecuted against your current production code artifacts. This continuous scanning helps to ensure that any code that is deployed in to production is checked for the latest known vulnerabilities allowing for regular revalidation of deployed code and remediation of any new issues that are discovered since the last scan.

Staying compliant and audit-ready is of the utmost importance. Workload Protection allows you to define the controls you need to meet by using pre-defined or custom policies. As evaluations are completed, the results are displayed in a dashboard so you can get an overarching view of your current compliance posture against the policies that are important for your use case and download compliance reports.