IBM United Kingdom Ltd

IBM Cloud Object Storage (Cleversafe) (OFFICIAL)

Data is growing exponentially, so it is important to consider storage, security and accessibility whilst being able to scale within a high-efficiency cost model. IBM Cloud Object Storage (formally Cleversafe) provided a range of Storage as a Service options.


  • Scalability to Exabyte’s
  • Survivability despite losing network access, servers, disks and data
  • High Data Security - in the event of DC breach
  • Service Quality increases reliability and availability of data
  • Service Available on IBM Bluemix
  • Deployment on dedicated, public and/or shared cloud,
  • May be implemented within a region or across multiple regions.
  • Hybrid deployment, uses same platform across the organisation
  • UK Hosted (OFFICIAL) with direct connection to the internet.
  • Can work towards an accredited RLI/SLI to industry connection.


  • Highly available & consistent object storage solution across multiple DC’s
  • Zero downtime for software upgrades, hardware refresh or expansion
  • Protect data across multiple sites without costly replication/backup
  • Management of storage PB's via single pane
  • All data is encrypted at rest and in motion
  • Support for REST S3 API
  • Seamless growth of the platform into Exabyte scale
  • Rich management API functionality, facilitating task automation
  • Full featured portal provides for setup, configuration and support


£0.0064 to £0.0318 per gigabyte per month

Service documents

G-Cloud 9


IBM United Kingdom Ltd

Jason Dymott


Service scope

Service scope
Service constraints The platform is a 24x7 available service. Any planned maintenance will not impact availability.

Access to the service is via RESTful API
System requirements
  • Support for S3 REST API
  • Connectivity to IBM COS endpoint locations (London Bluemix IaaS DC)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times IBM uses commercially reasonable efforts to respond to support requests; however, there is no specified response time objective for basic level support.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web Chat is accessible through the customer portal
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels IBM provides basic level support at no additional charge for the Cloud Services. Advance support is included as part of a Bluemix dedicated or local environment for services executed within those environments. Client can select fee-based technical support offerings that provide Client additional support benefits. Client may submit a support ticket describing the issue in accordance with the applicable support policy procedures. The support policies for Platform and Infrastructure Services are available in the Bluemix UI and provide details of available support options, as well as information on access, support business hours, severity classification, and support resources and limitations. IBM uses commercially reasonable efforts to respond to support requests; however, there is no specified response time objective for basic level support. Unless otherwise agreed in writing, support is available only to Client (and its authorized users) and not to any end users of Client’s solutions. Client is solely responsible for providing all customer support and services to its end users. An online support forum is available at no charge at or on Stack Overflow at IBM’s development and support staff monitors both forums
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started The IBM Bluemix KnowledgeLayer is an online resource and reference guid ( that covers a wide range of topics including Getting Started, Overview, Meet Bluemix, How To's, Best Practices and Quick Links; across all domains including devices, networking, services and resources (including Customer Portal, Mobile Devices, Service Status, Looking Glass, Whois and SpeedTest).
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction IBM Cloud Object Storage is a perpetual service with monthly billing. It is at the users discretion when the service is stopped. This would be done by either destroying the account and data. Or migrating the data out of the platform to another storage medium, likely to be another object store.
End-of-contract process At end of contract IBM will provide reasonable assistance to to facilitate the end of the Services (should they reach the end of their intended purpose) and/or the effective and orderly transfer of the Services back to organisation and/or to enable another party chosen to take over the provision of all or part of the Services.
The following provisions shall apply without prejudicing or restricting the generality of this obligation: It is agreed that reasonable IBM charges may apply relating to provision of exit management services and that such charges shall be agreed between the parties through the Exit Plan drafting process.

Specific to this service
1) Service will be cancelled/discontinued based upon Bluemix Portal.
2) Buyer will have to transfer any data from the Object Store to the new destination, possibly using the API calls including S3

Using the service

Using the service
Web browser interface Yes
Using the web interface The main web interface is via the Customer Portal. Users have a variety of interactions that take place from the Users screen. Users are login-specific and have a variety of permissions and information associated with the unique username, such as VPN accessibility, API keys and contact information. Individual users have access to their personal user information from this screen, while users with administrative roles have the ability to see and edit all users associated with an account.
Web interface accessibility standard None or don’t know
How the web interface is accessible There are a variety of tasks users can perform on the portal, these include but are not limited to, the following:-
- Access the Users Screen
- Add a New User to a Customer Portal Account
- Getting started with the Softlayer VPN
- Activate PhoneFactor Authentication
- Remove a User from the Customer Portal
- Change a User's Status
- Edit a User's VPN Access
- Remove an API Key
- Generate an API Key
- Edit a User Profile
- Retrieve Your API Key
- Edit a User's Customer Portal Permissions
- Update an Event Management System Subscription
- Access a User Profile
- Add External Authentication for a User
- View a User's Access Logs
- Show an API Key
Web interface accessibility testing N/A
What users can and can't do using the API There is a complete API available for managing the service this includes
- Account Creation
- Bucket Creation
- ACL definitions

The defined service user will setup further user accounts and buckets providing Access Controls accordingly. With appropriate permissions users can the use standard S3 SDK's and methods to create buckets and proceed to PUT, GET and DELETE data.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • Terraform
  • Puppet
API documentation Yes
API documentation formats
  • HTML
  • PDF
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources Some Bluemix Infrsatructure components are always shared - the data center is a shared space, the management infrastructure (Operations and Business support services) are shared, the core network devices are shared.

The Cloud Object Storage infrastructure employs multiple access points within the design. Load Balancing ensures that there are no hot spots within the service and that no single connection can adversely affect the overall service.
Usage notifications No


Infrastructure or application metrics Yes
Metrics types Other
Other metrics Storage Pools
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network Other
Other protection within supplier network Generically, Bluemix has three networks :- 1)Public Network is a customer responsibility to ensure service is enabled with SSL or other suitable data encryption technology; Private Network used to transmit data within environment via encryption of their choice (network has no internet connectivity) Management Network means Bluemix API’s may only be accessed via SSL, using user-specific key Within the direct connect service, IBM will provide the port, the buyer is free to implement the method based on the infrastructure within their environment mapping to Bluemix infrastructure selected as part of end-to-end solution

Availability and resilience

Availability and resilience
Guaranteed availability IBM provides service level agreements (SLAs) for IBM-branded Bluemix services. Service levels based on downtime do not include time related to exclusions, Bluemix UI unavailability, or time to reload, configure, enable, or access content or include other services indirectly affected by an outage (Downtime). SLAs are available only if Client is compliant with the Agreement terms and do not apply to any third party including Client’s end users. SLAs do not apply to beta, experimental, trial, or no-charge Cloud Services. SLAs are not a warranty and are Client’s exclusive remedy for IBM’s failure to meet a specified service level. IBM will validate SLA claims based upon information provided and IBM system records. IBM provides a 99.95% availability SLA for Platform Services: i) configured for high availability and distributed across multiple Bluemix public regions; or ii) provisioned across multiple dedicated or local environments in geographically separated data-centers. In addition, IBM provides a 99.9% availability service level for multiple instances of a Platform Service provisioned within a single dedicated or local environment.
Approach to resilience Cloud Object Storage (Cleversafe's) patented object-based storage
uses advanced information dispersal algorithms coupled with encryption to secure, virtualize, and transform data across a range network of storage nodes to reduce cost and increase efficiency of storage infrastructure.
This means that data may be replicated to a second DC and/or dispersed across three DCs with the safeguard that of one of the DCs is lost the data will be secure and may be restored from the nodes on the other two DCs.
Outage reporting Email and public dashboard (within the Bluemix customer portal)

Identity and authentication

Identity and authentication
User authentication Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels To manage services users must have valid user accounts, secured via username/password and (at least) one other security question. IBM creates first user account but has no further access to account. The portal allows the administrator to create users, grant access and operational permissions, on a ‘least privilege’ basis. Users can only access and carry out functions when permissions are explicitly granted, each user is responsible for implementing secure password and secondary question. All activities are logged for auditing purposes. Customers are responsible for onboarding and offboarding users and continuous business needs checks relating to user accounts
Access restriction testing frequency At least every 6 months
Management access authentication Public key authentication (including by TLS client certificate)
Devices users manage the service through Dedicated device on a government network (for example PSN)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BVCH SAS UK Branch
ISO/IEC 27001 accreditation date 18/08/2016
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 09/11/2012
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover N/A
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • ISO 27017
  • ISO 27018
  • Cloud Security Alliance - STAR registrant
  • Privacy shield framework EU Model clauses
  • SOC 1,2,3

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have a published information security policy which is shared upon customer engagement

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All compoents are tracked to enable evergreen technology, within this approch change management procedures ensure all changes to customer impacting services are thoroughly reviewed, tested and approved and provide notice in advance. All change management processes are documented. Notices are communicated to customers via email and service console, ideally scheduled during regular maintenance windows, though short-notice, emergency changes can occur. Processes include technical peer review including change rollback, full testing and approval. Changes are rippled through the full environment, Bluemix does not configure/manage customer deployments, they must implement configuration and change management processes.
Vulnerability management type Undisclosed
Vulnerability management approach IBM seek to ensure protection through monitoring and vulnerability scans, run on the entire IP range on the management network. Vulnerabilities are assigned a CVSS score and ticket/due date. Actions go through change management to reduce disruption to services, notices are communicated via email & service console. Emergency changes may occur usually as a result of particular perceived security threat/immediate risk to service. always weighed against service disruption Customers have responsibility for vulnerability/threat management within workloads; IBM provide access to security software, appliances and two-factor authentication tools - the management network provides access to patch management services.
Protective monitoring type Undisclosed
Protective monitoring approach Environment is fully monitored; key security and operational metrics gathered/analyzed Tools such as FireEye and Qradar montior for intrustion/anomalous activity. Alerts, offenses/incidents are tracked until resolved, and after-action information collected; configuration includes alarms providing early warnings of events. Monitoring is backed by industry standard incident management policies/procedures, DCs staffed on a 24x7x365 basis so all incidents are reacted to and dealt with consistently. Monitoring is configured to detect security-based attacks, such as Denial of Service with detailed procedures if such an attack is identified Customer portal has a Local Network Status displaying active issues
Incident management type Undisclosed
Incident management approach IBM has a fully documented incident management with swift response, ensuring personnel understand roles/responsibilities through to resolution. Data centres are staffed and monitored, with proactive monitoring of the underlying infrastructure; incidents identified are acted upon without delay, avoiding or minimizing service disruption. IBM SOC maintains incident response procedures, when tooling triggers the incident is tracked, if customer impact SOC involves IBM CSIRT. Processes are regularly and independently audited as part of ISO 27001 compliance. Customers report incidents via the 24/7 Bluemix IaaS support or portal - typical initial response within 20 minutes. More immediate responses is via phone or chat

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £0.0064 to £0.0318 per gigabyte per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A Free tier (1) at no charge for one year, accessed using "Promo Code"
Baselines are up to 25 GB/month, 20,000 GET requests/month and 2,000 PUT requests/month
Free-Tier expires 12 months after sign up. Standard rates apply for public outbound bandwidth and overage charge, it applies a non-refundable credit.
Link to free trial


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑