Principles
This recommendation uses the following key principles to obtain scale while optimizing for compliance, cost, and operational efficiencies.
- Manage cloud as code (compliance and ops optimization)
- Separate development and production environments (general compliance)
- Hub and spoke (networking optimization)
- Avoid duplication of shared tools (cost and ops optimization)
- Use shared infrastructure for application workloads (cost and ops optimization)
- Separate workload and management (compliance)
- Work within IBM Cloud operating limits and constraints
Cloud as code
A key part of this recommendation is to do all cloud setup and configuration as code - that is, automate everything from application infrastructure to account creation, to compliance monitoring. Automating everything allows the enterprise to ensure scale, compliance, security, and so on, in a repeatable and easily evolvable fashion. IBM Cloud provides a number of deployable architectures in the IBM Cloud catalog that can be used to automate these recommendations with minimal effort. These pre-made solutions can also be customized or extended to match the needs of the enterprise.
Managing infrastructure as code at scale requires more than just Terraform in a Git repo. Infrastructure as code is the DNA of an enterprise-wide cloud solution because it must be subject to both governance and management. Infrastructure as code ensures that only validated, compliant, and approved code is deployed. You can also track how deployments correspond to internal projects, teams, cost centers, and more.
IBM Cloud provides a number of tools to assist with this process. The IBM Cloud catalog allows an enterprise to advertise approved IaC solutions to users across the cloud. IBM Cloud projects allow an enterprise to ensure that only approved IaC is deployed and to track how the resulting resources correspond to projects, teams, and cost centers.
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
Family | Control |
---|---|
Configuration Management (CM) | CM-2 Baseline Configuration |
CM-2 (2) Automation Support for Accuracy / Currency | |
CM-3 Configuration Change Control | |
Access Control (AC) | AC-5 Separation of Duties |
Separate development and production
Development environments must be separated from production environments as they have different accounting, resource utilization, access, availability, networking, and compliance requirements. However, at the same time development environments should be kept in sync with production environments so that users testing in development can be confident that the application will behave similarly in production.
This recommendation creates a clean separation between development and production environments, but uses infrastructure as code to ensure that development and production are aligned.
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
Family | Control |
---|---|
Configuration Management (CM) | CM-3 (2) Configuration Change Control | Testing, Validation, and Documentation Of Changes |
CM-4 (1) Impact Analyses | Separate Test Environments | |
System and Services Acquisition (SA) | SA-10 Developer Configuration Management |
SA-15 (9) Development Process, Standards, and Tools | Use of Live Data | |
System and Communications Protection (SC) | SC-2 Application Partitioning |
SC-3 Security Function Isolation |
Hub and spoke model
In cloud, it is common to talk about using a hub and spoke model for networking. In this model, a centralized network hub links many spoke networks (VPCs) together. A centralized hub is typically used to reduce costs and increase scale while still allowing private network connectivity within the cloud.
In this recommendation, we also generalize this hub and spoke pattern, applying it to several different areas of concern including networking, managing infrastructure as code, secrets, shared services, and more.
Separate management from workload
In the IBM Cloud Framework for Financial Services reference architecture, management workloads are separated from application workloads to support the different access models, data privacy requirements, network access requirements, and so on. Because these principles apply more broadly than just in the Financial Services industry, they have been applied in this general recommendation.
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
Family | Control |
---|---|
System and Communications Protection (SC) | SC-2 Application Partitioning |
SC-3 Security Function Isolation |
Work within IBM Cloud operating limits and constraints
IBM Cloud, like all public clouds, have certain quotas, limits, and constraints on deployment patterns, scale, and so forth. This recommendation must align to and keep within all hard limits and constraints.
Examples of such quotas and limits include: