IBM Cloud Docs
Satellite reference architecture shared responsibility model

Satellite reference architecture shared responsibility model

In IBM Cloud, the responsibilities for deploying, operating, and securing products are shared between IBM and our customers. This IBM Cloud® shared responsibility model is one of the most important things to understand when interpreting the control requirements of the IBM Cloud Framework for Financial Services. Here we dive deeper into this shared responsibility model for the Satellite reference architecture.

Shared responsibilities for IBM Cloud products

All services that run in IBM Cloud as part of the Satellite reference architecture are considered managed products in the IBM Cloud shared responsibility model. Each of these products has their own service-specific shared responsibilities.

Due to the hybrid nature of Satellite, there is a unique set of Satellite-specific shared responsibilities for components that run in the on-premises Satellite location.

For all products, these responsibilities cut across the following five task areas, which intersect with the IBM Cloud Framework for Financial Services's best practices and requirements:

Table 1. Tasks areas in IBM Cloud shared responsibility model
The rows are read from left to right. The first column is the title for the set of tasks. The next column describe the tasks.
Types of tasks Description
Incident and operations management Includes tasks such as monitoring, event management, high availability, problem determination, recovery, and full state backup and recovery.
Change management Includes tasks such as deployment, configuration, upgrades, patching, configuration changes, and deletion.
Identity and access management Includes tasks such as authentication, authorization, access control policies, and approving, granting, and revoking access.
Security and regulation compliance Includes tasks such as security controls implementation and compliance certification.
Disaster Recovery Includes tasks such as providing dependencies on disaster recovery sites, provision disaster recovery environments, data and configuration backup, replicating data and configuration to the disaster recovery environment, and failover on disaster events.

Additional roles for shared responsibility matrix

The two-party view of responsibility doesn't adequately account for the broader set of roles (often represented by teams or even different companies) that need to collaborate to ensure that the overall solution provides a secure platform for workloads and data. In the following diagram and table, a broader set of roles is defined.

Roles for Satellite reference architecture RACI matrix
Figure 1. Roles for Satellite reference architecture RACI matrix

Table 2. Roles for deploying, managing, and operating all components of the Satellite reference architecture
The rows are read from left to right. The first column is the title for the role. The next columns describe the role.
Role Description
Workload consumer Line-of-business organization that uses the workload or represents the internal or external users of the workload.
Workload provider Client IT development and operations team responsible for developing, deploying, and managing the workload and user responsibility for the PaaS layer (for example, by providing updated operating system images or requesting worker node upgrades).
IBM Cloud on-premises PaaS provider IBM Cloud development and operations teams responsible for the Satellite components deployed on-premises. Many supporting services, processes, and operations run in IBM Cloud.
On-premises IaaS / data center provider Client IT operations and facilities teams responsible for the data center, networking, hardware, and virtualization that supports the on-premises PaaS and workload.
IBM Cloud IaaS / data center provider IBM Cloud development and operations teams responsible for the direct Satellite management capabilities and supporting services that run in IBM Cloud.

Overview of shared responsibilities

Review the following table of who is responsible for particular cloud resources when using Satellite. In the table, "Shared" means that there is a shared responsibility between the workload provider and the IBM Cloud on-premises PaaS provider.

Table 3. Overview of shared responsibilities.
The rows are read from left to right. The resource area of comparing responsibilities is in the first column. The next five columns describe whether you, IBM , or both have shared responsibilities for a particular area.
Resource Incident and operations management Change management Identity and access management Security and regulation compliance Disaster Recovery
Client data Workload provider Workload provider Workload provider Workload provider Workload provider
Application Workload provider Workload provider Workload provider Workload provider Workload provider
Satellite Location Shared Shared Shared Shared Shared
Satellite Host Shared Shared Shared Shared Shared
Satellite Config Shared Shared Shared Shared Shared
Satellite Link Shared Shared Shared Shared Workload provider
Satellite Storage Shared Shared Workload provider Shared Shared
Satellite-enabled services Shared Shared Shared Shared Shared
Operating System Workload provider Shared Workload provider Shared Workload provider
Virtual and bare metal servers On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Virtual storage On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Virtual network On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Hypervisor On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Physical servers and memory On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Physical storage On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Physical network and devices On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider
Facilities and data centers On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider On-prem IaaS / data center provider

Satellite location control plane and workload clusters

The following table goes a level deeper and shows the shared responsibilities for the control plane worker nodes and your workload clusters in the Satellite location. In the table, "Shared" means that there is a shared responsibility between the workload provider and the IBM Cloud on-premises PaaS provider.

Table 4. Overview of shared responsibilities in Satellite location.
The rows are read from left to right. The resource area for comparing responsibilities in the Satellite location is in the first column. The next two columns describe whether you, IBM, or both have shared responsibilities for a particular area.
Resource Control plane worker nodes Workload clusters
Client data n/a Workload provider
Application Shared Workload provider
Satellite Host Shared Shared
Satellite Config Shared n/a
Satellite Link Shared [1] n/a
Satellite Storage Shared [2] Shared [3]
Host networking On-premises PaaS provider Workload provider
Operating System Shared [4] Shared [5]
Virtual and bare metal servers On-premises IaaS / data center provider On-premises IaaS / data center provider
Virtual storage On-premises IaaS / data center provider On-premises IaaS / data center provider
Virtual network On-premises IaaS / data center provider On-premises IaaS / data center provider
Hypervisor On-premises IaaS / data center provider On-premises IaaS / data center provider
Physical servers and memory On-premises IaaS / data center provider On-premises IaaS / data center provider
Physical storage On-premises IaaS / data center provider On-premises IaaS / data center provider
Physical network and devices On-premises IaaS / data center provider On-premises IaaS / data center provider
Facilities and data centers On-premises IaaS / data center provider On-premises IaaS / data center provider

Other on-premises components outside of the IBM Cloud Satellite location

The workload provider and on-premises IaaS / data center provider are solely responsible for edge plane, management plane, and other applications that you run in the on-premises environment outside of the Satellite location.

Next steps

  2. Responsibility is shared, except that the workload provider is solely responsible for Identity and access management. ↩︎

  3. Responsibility is shared, except that the workload provider is solely responsible for Identity and access management. ↩︎

  4. Responsibility is shared, except that the workload provider is solely responsible for Change management and Security and regulation compliance. ↩︎

  5. Responsibility is shared, except that the workload provider is solely responsible for Change management and Security and regulation compliance. ↩︎