Shared Responsibility Model for IBM Power for Google Cloud

IBM Power for Google Cloud is an Infrastructure-as-a-Service offering provided by Converge on the Google Cloud Marketplace. It provides compute, storage and network services on demand with a capacity based pricing model and provides high performance, low latency connectivity to Google Cloud services. The Cloud service requires the customer to operate their own Google Cloud Organization and connect to IBM Power for Google Cloud using Google Private Services Access.

IBM Power for Google Cloud segments the service management (control plane) and the data access (data plane) across different endpoints so that neither can impact the other to provide a secure architecture. The IBM Power for Google Cloud control plane consists of the Web Console, pcloud CLI, and API, all managed by Converge. The data plane uses the Google Cloud private services access (PSA) framework to connect the dedicated IBM Power for Google Cloud Instance to a customer Google Organization.

Each IBM Power for Google Cloud customer is allocated a dedicated Service Producer VPC Network and Service Producer Project managed by Converge. Strong tenant isolation is maintained into the IBM Power for Google Cloud infrastructure with isolated L2 and L3 network domains per customer and a multi-tenant compute hypervisor and storage architecture.

Encryption

IBM Power for Google Cloud block storage Volumes are encrypted at rest using AES-256 by default. Data is striped across a distributed array of disks for performance and durability. Encryption keys are managed by IBM Power for Google Cloud and rotated automatically. Customers who would like to manage their own encryption keys must configure operating system or application based encryption in addition to the storage encryption provided by IBM Power for Google Cloud.

The IBM Power for Google Cloud (IP4G) network fabric provides private network connectivity between Virtual Machines in IBM Power for Google Cloud and Google Cloud. All IP4G network traffic traverses physical connections in a Google Cloud Regional Extension datacenter. Network traffic from IBM Power for Google Cloud to Google Cloud traverses a private Google Cloud connection between a Google Cloud Regional Extension data center and Google Cloud. We expect customers to enable secure communication protocols for applications to encrypt data in transit between IP4G and Google Cloud and internal networks in IP4G. All data transferred during Live Partition Mobility is encrypted in transit for IBM Power for Google Cloud.

Shared Responsibility

IBM Power for Google Cloud provides an API, CLI, and Web Console that allows the customer to create, delete and modify the compute, storage and networking of their IBM Power for Google Cloud Instance. The customer must authorize users to access these interfaces and it is the responsibility of the customer to ensure the appropriate Google Cloud Identities are permitted to the customer Cloud Instance.

The customer is responsible for configuring their Google Cloud organization to connect to the service.

As with any Infrastructure as a Service offering, the bulk of security responsibilities are placed on the customer to provision resources in a way that meets their regulatory and compliance requirements. Converge is responsible for the underlying infrastructure and physical security.

Customer Responsibility

Converge Responsibility