Shared responsibilities for using IBM Cloud products

Shared responsibilities for using IBM Cloud products

The responsibility of completing the following types of tasks on various products can be exclusive to IBM, the customer, or shared between the two. The tasks for each type of product are grouped in the following categories:

Incident and operations management Monitoring, event management, high availability, problem determination, recovery, and full state backup and recovery.
Change management Deployment, configuration, upgrades, patching, configuration changes, and deletion.
Identity and access management Authentication, authorization, access control policies, and approving, granting, and revoking access.
Security and regulation compliance Security controls implementation and compliance certification.
Disaster recovery Providing dependencies on disaster recovery sites, provision disaster recovery environments, data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.

Types of resource:

Data

Customer-owned content that includes all data managed and controlled by the customer, such as information stored into volumes, files, and databases hosted on IBM Cloud resources and data processed, stored, and logged by the client applications hosted on IBM Cloud. It doesn't include client metadata, the information that is used by IBM to provide services to the customer and support and operate the client account, services, and resources that are always considered to be shared responsibility between client and IBM.

Applications

Customer-owned software components, such as executables, web applications, middleware, frameworks, libraries, and any other software packages deployed by the clients that they developed or acquired by third parties and they deploy in IBM Cloud.

Operating systems

The operating system software and configuration deployed in virtual or bare metal servers, such as Linux, Windows, or similar to the ones provided in stock images

Virtual and bare metal servers

The virtual or bare metal servers that are ordered and managed through IBM Cloud services.

Virtual storage

The block, file or Object Storage buckets ordered and managed through IBM Cloud.

Virtual network

Network resources such as VLAN, VPC, subnets, or IPs provided by classic infrastructure and VPC services ordered and managed through IBM Cloud.

Hypervisor

The software and configuration deployed in physical servers to host and manage the lifecycle of virtual servers.

Physical servers and memory

The physical compute devices and resources, such as cores, memory, and GPUs used to host the virtual or bare metal servers.

Physical storage

The physical storage devices and resources, such as disks and storage devices used to host the virtual block, file or object storage buckets.

Physical network and devices

The physical network devices and resources, such as switches, routers, gateways, firewalls, and load balancers used to host the virtual network resources.

Facilities and data centers

The physical data center buildings with power, cooling, and rooms for all the IBM Cloud physical equipment.

IBM Cloud supports the following types of products and the corresponding shared responsibility models. For more information about each specific service, refer to the documentation for that service.

Infrastructure-as-a-service

Infrastructure-as-a-service (IaaS) products managed by IBM are fully multi-tenant, accessed remotely, hosted on IBM physical infrastructure, created in customer-owned accounts, and have control plane and data plane security that is owned by IBM. Examples of this product type are Virtual Servers and Bare Metal Servers with the related block volumes connected to the customer account private subnets. You can find a list of these types of products in the IBM Cloud catalog on the Services tab, and each product is in an infrastructure sub-category within the Compute or VPC infrastructure categories.

Resource Incident and Operations Management Change Management Identity and Access Management Security and Regulation Compliance Disaster Recovery

Data Customer Customer Customer Customer Customer

Application Customer Customer Customer Customer Customer

Operating system Customer Customer Customer Customer Customer

Virtual and bare metal servers IBM IBM IBM IBM Shared

Virtual storage IBM IBM IBM IBM Shared

Virtual network IBM IBM IBM IBM Shared

Hypervisor IBM IBM IBM IBM IBM

Physical servers and memory IBM IBM IBM IBM IBM

Physical storage IBM IBM IBM IBM IBM

Physical network and devices IBM IBM IBM IBM IBM

Facilities and data centers IBM IBM IBM IBM IBM

Managed products

Products managed by IBM require customer responsibilities only for the data or applications that customers add to the service. They are multi-tenant, accessed remotely, hosted on IBM virtual resources, created in IBM-owned accounts, and have control plane and data plane security owned by IBM. Examples of this product type are IBM Cloud databases or IBM Cloudant database instances. You can find a list of these types of products in the IBM Cloud catalog on the Services tab. However, any products listed in an infrastructure sub-category are infrastructure-as-a-service type products.

Resource Incident and Operations Management Change Management Identity and Access Management Security and Regulation Compliance Disaster Recovery

Data Customer Customer Customer Customer Customer

Application Customer Customer Customer Customer Customer

Service instance IBM IBM IBM IBM Shared

Virtual and bare metal servers IBM IBM IBM IBM Shared

Virtual storage IBM IBM IBM IBM Shared

Virtual network IBM IBM IBM IBM Shared

Hypervisor IBM IBM IBM IBM IBM

Physical servers and memory IBM IBM IBM IBM IBM

Physical storage IBM IBM IBM IBM IBM

Physical network and devices IBM IBM IBM IBM IBM

Facilities and data centers IBM IBM IBM IBM IBM

Managed products on customer's resources

Managed products on customer's resources are orchestrated by IBM, meaning they are single-tenant and data plane products. In addition, they are accessed locally in customer accounts, data plane hosted on virtual resources in the customer's account, control plane security owned by IBM, and data plane security owned by the customer. IBM Cloud products of this type include IBM Cloud Kubernetes Service on classic infrastructure and Red Hat OpenShift on IBM Cloud on classic infrastructure.

Resource Incident and Operations Management Change Management Identity and Access Management Security and Regulation Compliance Disaster Recovery

Data Customer Customer Customer Customer Customer

Application Customer Customer Customer Customer Customer

Service instance Shared Shared Shared Shared Shared

Operating system Shared Shared Shared Shared Shared

Virtual and bare metal servers IBM IBM IBM IBM Shared

Virtual storage IBM IBM IBM IBM Shared

Virtual network IBM IBM IBM IBM Shared

Hypervisor IBM IBM IBM IBM IBM

Physical servers and memory IBM IBM IBM IBM IBM

Physical storage IBM IBM IBM IBM IBM

Physical network and devices IBM IBM IBM IBM IBM

Facilities and data centers IBM IBM IBM IBM IBM

Software packages

Software packages are deployed by IBM as single tenant instances, and they are accessed locally in the customer account. The software instance is hosted on resources in the customer's accounts. The software deployment control plane security is owned by IBM, and the software instance security is owned by the customer.

There is a generic software deployment control plane that manages the lifecycle of deployed software package instances. At a minimum, it manages the deployment, upgrade, and delete actions. As the packages become smarter, the generic control plane might also manage the start, stop, migration, scaling, monitoring, backup, and restore tasks.

You can find a list of software in the IBM Cloud catalog on the Software tab.

Resource Incident and Operations Management Change Management Identity and Access Management Security and Regulation Compliance Disaster Recovery

Data Customer Customer Customer Customer Customer

Application Customer Customer Customer Customer Customer

Software packages Shared Shared Customer Customer Shared

Operating system Shared Shared Customer Customer Shared

Virtual and bare metal servers IBM IBM IBM IBM Shared

Virtual storage IBM IBM IBM IBM Shared

Virtual network IBM IBM IBM IBM Shared

Hypervisor IBM IBM IBM IBM IBM

Physical servers and memory IBM IBM IBM IBM IBM

Physical storage IBM IBM IBM IBM IBM

Physical network and devices IBM IBM IBM IBM IBM

Facilities and data centers IBM IBM IBM IBM IBM

Incident and operations management	Monitoring, event management, high availability, problem determination, recovery, and full state backup and recovery.
Change management	Deployment, configuration, upgrades, patching, configuration changes, and deletion.
Identity and access management	Authentication, authorization, access control policies, and approving, granting, and revoking access.
Security and regulation compliance	Security controls implementation and compliance certification.
Disaster recovery	Providing dependencies on disaster recovery sites, provision disaster recovery environments, data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.

Resource	Incident and Operations Management	Change Management	Identity and Access Management	Security and Regulation Compliance	Disaster Recovery
Data	Customer	Customer	Customer	Customer	Customer
Application	Customer	Customer	Customer	Customer	Customer
Operating system	Customer	Customer	Customer	Customer	Customer
Virtual and bare metal servers	IBM	IBM	IBM	IBM	Shared
Virtual storage	IBM	IBM	IBM	IBM	Shared
Virtual network	IBM	IBM	IBM	IBM	Shared
Hypervisor	IBM	IBM	IBM	IBM	IBM
Physical servers and memory	IBM	IBM	IBM	IBM	IBM
Physical storage	IBM	IBM	IBM	IBM	IBM
Physical network and devices	IBM	IBM	IBM	IBM	IBM
Facilities and data centers	IBM	IBM	IBM	IBM	IBM