IBM cloud security

IBM Cloud’s Not-So-Secret Security Advantage

I was listening to a brief on IBM Cloud this week and thinking back to when I led security for marketing while I worked there. I’d also been an internal auditor for the company with a specialty in security audits, thanks to previous jobs in law enforcement and security. One of the things you learned was that if you genuinely wanted security to work, you could not rely on policy because people don’t always follow it. You need to rely on physical methods to keep things secure.

For instance, there was a policy that all truly sensitive documents needed to be kept in a safe. That policy was followed. The problem was that the keys to the safe were kept in an unlocked secretary’s drawer. So, the policy was complied with, but the intent of the policy, to secure the document, was not because the physical security was inadequate.

This is not to say IBM was not secure. On the contrary, it remains one of the most secure companies I have ever worked for or with. What the example shows is that even at IBM, people remain the weakest link. The IBM Cloud offering stands out as addressing that weakest link while others rely on policy instead, and that is a problem.

IBM’s security difference advantage

I think some of what IBM has done in the cloud is the result of decades of focusing on and learning how to secure things. IBM was doing advanced security decades before any of today’s cloud companies even existed. Google’s security has always been questionable because its business model includes selling customer information to others. Amazon is a retailer at heart, not an IT company, making its security competence questionable. And while Microsoft is very serious about security today, in the 90s and early 2000s, it largely outsourced security which was a problem for customers.

All these competitors have strong security policies, and they have protections against outside attackers. Even so, they are often breached, but their physical protections against inside attackers are far more limited. For instance, you may recall that Google, in particular, has had huge internal security issues. We know this because they were reported, and it makes you wonder how often this happens in Google and other firms where it isn’t supported.

Amazon allegedly didn’t even do a great job of protecting its own customer data, raising legitimate questions as to whether it will protect yours, and Microsoft recently was called out for security negligence on Azure even though it upped its security game significantly over the last two decades.

All of these firms appear to have competent security teams and policies that should protect the data, but people make mistakes, and, as I discovered at IBM, just because you believe employees know better than to do stupid things, employees are human, and humans tend to make stupid mistakes. If it is your data on the other side of those mistakes, that’s a problem.

IBM has an advantage. It realized early on that it could not catch Amazon, Google, or Microsoft in terms of scale or price. The others were simply too large and could subsidize income streams to offer more attractive pricing than IBM could. However, IBM has forgotten more about security than these companies currently appear to know. This means IBM gets that, when it comes to security, relying on policy and trust to secure anything valuable will not be sufficient. So, IBM creates hardware and software to not only secure customer information from external attacks but from internal attacks as well.

It is that extreme focus on securing against both external and internal threats that causes IBM to stand out, and, for those of us who value security highly, we should favor IBM Cloud because, unlike the other choices, IBM takes security far more seriously.

Wrapping up

For me, security is important because one of my more sensitive papers was released one time without my permission to the outside world. An SVP used that event to try to get me fired. He didn’t know I owned security at that company, and I was able to trace the leak back to him. He left the company, and I did not. Doing security right not only protects customers, but it also protects you because the aftermath of a breach is a process where folks look for someone to blame, and, as I found out, even if you did nothing wrong, you could find yourself on the wrong side of the resulting decision.

The old saying is, “no one ever lost their job buying from IBM.” I’d like to amend that to “no one will ever lose their job for using IBM Cloud” because even if there is a breach, you can show that you used the most secure cloud service available to you, and there is a really good chance you won’t ever see that breach unless it is something you or your company did wrong, and that you have no control over.

When it’s a question of security competence and execution, IBM Cloud clearly stands above the rest.

Scroll to Top