IBM Power for Google Cloud (IP4G) is designed to provide a robust and secure environment for your mission-critical applications. Security and compliance are top priorities, and we employ a shared responsibility model to ensure your data and workloads are protected. This means that while Google Cloud manages the security of the underlying infrastructure, you are responsible for the security in the cloud, encompassing your operating systems, applications, and data.
This is the multi-page printable view of this section. Click here to print.
Security Privacy and Compliance
- 1: Shared Responsibility Model for IBM Power for Google Cloud
- 2: General Data Protection Regulation (GDPR)
1 - Shared Responsibility Model for IBM Power for Google Cloud
IBM Power for Google Cloud is an Infrastructure-as-a-Service offering provided by Converge on the Google Cloud Marketplace. It provides compute, storage and network services on demand with a capacity based pricing model and provides high performance, low latency connectivity to Google Cloud services. The Cloud service requires the customer to operate their own Google Cloud Organization and connect to IBM Power for Google Cloud using Google Private Services Access.
IBM Power for Google Cloud segments the service management (control plane) and the data access (data plane) across different endpoints so that neither can impact the other to provide a secure architecture. The IBM Power for Google Cloud control plane consists of the Web Console, pcloud CLI, and API, all managed by Converge. The data plane uses the Google Cloud private services access (PSA) framework to connect the dedicated IBM Power for Google Cloud Instance to a customer Google Organization.
Each IBM Power for Google Cloud customer is allocated a dedicated Service Producer VPC Network and Service Producer Project managed by Converge. Strong tenant isolation is maintained into the IBM Power for Google Cloud infrastructure with isolated L2 and L3 network domains per customer and a multi-tenant compute hypervisor and storage architecture.
Encryption
IBM Power for Google Cloud block storage Volumes are encrypted at rest using AES-256 by default. Data is striped across a distributed array of disks for performance and durability. Encryption keys are managed by IBM Power for Google Cloud and rotated automatically. Customers who would like to manage their own encryption keys must configure operating system or application based encryption in addition to the storage encryption provided by IBM Power for Google Cloud.
The IBM Power for Google Cloud (IP4G) network fabric provides private network connectivity between Virtual Machines in IBM Power for Google Cloud and Google Cloud. All IP4G network traffic traverses physical connections in a Google Cloud Regional Extension datacenter. Network traffic from IBM Power for Google Cloud to Google Cloud traverses a private Google Cloud connection between a Google Cloud Regional Extension data center and Google Cloud. We expect customers to enable secure communication protocols for applications to encrypt data in transit between IP4G and Google Cloud and internal networks in IP4G. All data transferred during Live Partition Mobility is encrypted in transit for IBM Power for Google Cloud.
Shared Responsibility
IBM Power for Google Cloud provides an API, CLI, and Web Console that allows the customer to create, delete and modify the compute, storage and networking of their IBM Power for Google Cloud Instance. The customer must authorize users to access these interfaces and it is the responsibility of the customer to ensure the appropriate Google Cloud Identities are permitted to the customer Cloud Instance.
The customer is responsible for configuring their Google Cloud organization to connect to the service.
As with any Infrastructure as a Service offering, the bulk of security responsibilities are placed on the customer to provision resources in a way that meets their regulatory and compliance requirements. Converge is responsible for the underlying infrastructure and physical security.
Customer Responsibility
| Usage associated with IBM Power for Google Cloud Subscription |
| Operations for virtual machine Instances deployed |
| Authorization and Authentication to IBM Power for Google Cloud using Google Cloud Identity |
| Network security for access to virtual machine instances |
| Guest operating system, data, and content |
| Deployment of IBM Power for Google Cloud virtual machine instances |
Converge Responsibility
| Audit logging for IBM Power for Google Cloud platform events |
| Network isolation and availability |
| Storage encryption and availability |
| IBM Power Control Plane and Hypervisor |
| Hardware (IBM Power Systems, Storage, and Network) |
| Data Center Power, Cooling, and Security |
2 - General Data Protection Regulation (GDPR)
IBM Power for Google Cloud (IP4G) operates as a multi-tenant infrastructure-as-a-service platform enabling customers to deploy virtual machines on IBM Power hardware within Google Cloud Regional Extension data centers. As a potential Data Processor under GDPR, IP4G processes personal data solely on behalf of its customers (Data Controllers) and only with the customer’s consent and/or direction.
Technical and Organizational Measures
IP4G implements robust data security measures appropriate to the risk of processing, including:
- Encryption: AES-256 encryption for data at rest;
- Access Controls: Role-based access and audit logging to prevent unauthorized access, alteration, or disclosure;
- Data Deletion: Customers retain full control over data lifecycle management, including deletion and retention policies;
- Isolation: Each customer environment is logically isolated on shared physical infrastructure.
Compliance Readiness
IP4G is PCI DSS v4.0 certified, demonstrating our commitment to supporting customers’ regulatory objectives and obligations, while also mainitaining a comprehensive adherence to international security standards. Additionally, our infrastructure and operational controls are designed specifically to adhere to, and incorporate, the core GDPR principles such as data minimization, purpose limitation, and ensuring the integrity and confidentiality of processing. IP4G’s Data Processing Agreement (DPA) and custom Terms of Service clarify in detail the platform and service responsibilities with specific aim of defining the shared accountability for customer data processing.
Customer Responsibilities
Customers are responsible for ensuring their own GDPR compliance, including lawful basis for processing, data subject rights, and controller obligations. IP4G provides the necessary infrastructure and documentation to support these efforts.