IBM United Kingdom Ltd

IBM Bluemix Private Cloud (Bluebox) (OFFICIAL/SECRET)

IBM Bluemix Private-Cloud-as-a-Service is powered by OpenStack and provides 100% open source, consumption model for IaaS (compute, storage and SDN) with a high value service wrapper; rapid provisioning, implementation, support, management and security. It is single tenant, elastic, reliable and highly available underpinned by SLA’s for Official and Secret workloads


  • Powered by OpenStack. Current release: OpenStack Newton
  • 100% dedicated infrastructure providing guaranteed, predictable high-performance in HA config
  • Graphical user-interface/Command Line-interface manage access, monitoring, billing analysis
  • Storage: ephemeral, block/object via OpenStack projects e.g. Cinder/Swift
  • Disaster recovery supported by dual data centres
  • Security: UK data centres are ISO 27001 accredited.
  • Discrete/secure control plane to manage hardware, OpenStack, hypervisor layers
  • Security classifications upto SECRET(can work towards accredited SLI/RLI)
  • Available in both Community and Red Hat OpenStack versions
  • Available in UK (OFFICIAL) Data-Centres or "On-Premise" in DC(SECRET)


  • The best of public cloud/ benefits of private cloud
  • Available on monthly and annual term basis
  • OpenStack provides complete freedom of deployment
  • Security: dedicated, private infrastructure
  • High quality personal and professional technical support services
  • Elasticity: scalability for growth and for burst workloads
  • Predictable cost model: customers can align with business workloads
  • Consumption model frees-up IT resources maintaining business activity focus
  • Choice of nodes to accommodate different workloads including Bare Metal
  • Rapid provisioning: private cloud availability within hours


£5882 per unit per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 9


IBM United Kingdom Ltd

Jason Dymott


Service scope

Service scope
Service constraints 1)The Cloud Service is allocated a minimum network bandwidth of 40.0 TB per month when using 1 Gigabit Network Gateways and a minimum network bandwidth of 10.0 TB per month when using 10 Gigabit Network Gateways.
2)Dedicated Controllers are required for scaling the cluster beyond 20 nodes and the use of OpenStack Telemetry (Ceilometer) and Load Balancer as a Service (LBaaS).
3)IBM will post scheduled maintenance time/date in a support ticket generally scheduling maintenance 5 days after the maintenance communication. If clients choose a different maintenance window they may choose any time within 21 days of the original maintenance communication.
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times IBM uses commercially reasonable efforts to respond to support requests; response times vary depending on the severity of the request as detailed below:
Priority 1 (urgent) – Initial response time within 15 minutes, updates every 60 minutes
Priority 2 (normal) – Initial response time within 1 hour, updates every 24 hours
Priority 3 (information) – Initial response time within 1 calendar day, updates every 7 calendar days
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web chat is available through the customer portal
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels IBM provides basic level support at no additional charge for the Cloud Services. Advance support is included as part of a Bluemix dedicated or local environment for services executed within those environments. Client can select fee-based technical support offerings that provide Client additional support benefits. Client may submit a support ticket describing the issue in accordance with the applicable support policy procedures. The support policies for Platform and Infrastructure Services are available in the Bluemix UI and provide details of available
support options, as well as information on access, support business hours, severity classification, and support resources and
limitations. IBM uses commercially reasonable efforts to respond to support requests.
Unless otherwise agreed in writing, support is available only to Client (and its authorized users) and not to any end users of Client’s solutions. Client is solely responsible for providing all customer support and services to its end users.
Priority 1 (urgent) – Initial response time within 15 minutes, updates every 60 minutes
Priority 2 (normal) – Initial response time within 1 hour, updates every 24 hours
Priority 3 (information) – Initial response time within 1 calendar day, updates every 7 calendar days
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started The IBM Bluemix Private cloud team insist on a 5 week onboarding process with regular touch points to ensure best practice and familiarity of the service.
A Customer success Manager is allocated to each customer and works with the customer throughout the onboarding process to target specific areas of most value to the customer.
Online resources are also supplied for customers to reference throughout the tenure of their Bluemix Private Cloud contract. These can be found at:
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Customers are able to transfer any pertinent data from the cloud prior to decommission. This is typically done through online transferral of data over a secure link.
End-of-contract process At end of contract IBM will provide reasonable assistance to to facilitate the end of the Services (should they reach the end of their intended purpose) and/or the effective and orderly transfer of the Services back to organisation and/or to enable another party chosen to take over the provision of all or part of the Services.
The following provisions shall apply without prejudicing or restricting the generality of this obligation: It is agreed that reasonable IBM charges may apply relating to provision of exit management services and that such charges shall be agreed between the parties through the Exit Plan drafting process.
Client may add or remove Cloud Service options by submitting a signed Order Document with the requested change. Client is required to provide at least 30 days written notice to remove a Cloud Service option or a unit quantity of an option and specify the effective date of termination.
IBM will adjust the monthly charges for such change based upon the month the Cloud Service is added or effective date of termination.

Using the service

Using the service
Web browser interface Yes
Using the web interface The main web interface is via the Customer Portal. Users have a variety of interactions that take place from the Users screen. Users are login-specific and have a variety of permissions and information associated with the unique username such as API keys and contact information. Individual users have access to their personal user information from this screen, while users with administrative roles have the ability to see and edit all users associated with an account.
Web interface accessibility standard None or don’t know
How the web interface is accessible There are a variety of tasks users can perform on the portal, these include but are not limited to, the following:-
- Access the Users Screen
- Add a New User to a Customer Portal Account
- Remove a User from the Customer Portal
- Change a User's Status
- Edit a User Profile
- Retrieve Your API Key
- Edit a User's Customer Portal Permissions
- Update an Event Management System Subscription
- Access a User Profile
- Show an API Key
- Spin up Virtual machines
- Create storage volumes
- Create Software defined networks
Web interface accessibility testing NA
What users can and can't do using the API Users can interact with the cloud solely through API calls. There are no limitations within the cloud and it's core functionality when accessing services via API.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
API documentation Yes
API documentation formats HTML
Command line interface No


Scaling available Yes
Scaling type Manual
Independence of resources Some Bluemix Private Cloud infrastructure components are always shared - the data center is a shared space, the management infrastructure (Operations and Business support services) are shared, the core network devices are shared.

However, the cloud itself and any associated resource is 100% dedicated to the customer and is not shared in any way with other IBM customers.
Usage notifications No


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • Memory
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network Generically, Bluemix has three networks :-
1)Public Network is a customer responsibility to ensure service is enabled with SSL or other suitable data encryption technology;
Private Network used to transmit data within environment via encryption of their choice (network has no internet connectivity)
Management Network means Bluemix API’s may only be accessed via SSL.

Availability and resilience

Availability and resilience
Guaranteed availability IBM provides service level agreements (SLAs) for IBM-branded Bluemix services. Service levels based on downtime do not include time related to exclusions, Bluemix UI unavailability, or time to reload, configure, enable, or access content or include other services indirectly affected by an outage (Downtime). SLAs are available only if Client is compliant with the Agreement terms and do not apply to any third party including Client’s end users.
SLAs do not apply to beta, experimental, trial, or no-charge Cloud Services. SLAs are not a warranty and are Client’s exclusive remedy for IBM’s failure to meet a specified service level. IBM will validate SLA claims based upon information provided and IBM system records.
IBM provides a 99.95% availability SLA for Platform Services: i) configured for high availability and distributed across multiple
Bluemix public regions; or ii) provisioned across multiple dedicated or local environments in geographically separated data-centers. In addition, IBM provides a 99.5% availability service level for multiple instances of a Platform Service provisioned within a single dedicated or local environment.
All elements of a Bluemix Priavte Cloud are built in an HA configuration resulting in no single point of failure within the cloud.
Approach to resilience Information is available on request
Outage reporting Ticket, email & public dashboard within the Bluemix Portal and Bluemix Private Cloud Box Panel.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels To manage services users must have valid user accounts, secured via username/password and (at least) one other security question. IBM creates first user account but has no further access to account.

The portal allows the administrator to create users, grant access and operational permissions, on a ‘least privilege’ basis.

Users can only access and carry out functions when permissions are explicitly granted, each user is responsible for implementing secure password and secondary question. All activities are logged for auditing purposes.
Customers are responsible for onboarding and offboarding users and continuous business needs checks relating to user accounts
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication
Devices users manage the service through
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Bureau Vertias Certification (BVC)
ISO/IEC 27001 accreditation date 04/07/2016
What the ISO/IEC 27001 doesn’t cover Physical Data center controls and removable media controls are not covered by the Bluemix Private Cloud ISO 27001 certification. However, Bluemix Private Cloud is deployed in IBM Cloud Data-Centres and these items are covered under the IBM Bluemix Infrastructure ISO 27001 certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations ISO 27018

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO27001 & ISO27018

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All components are tracked to enable evergreen technology, within this approach change management procedures ensure all changes to customer impacting services are thoroughly reviewed, tested and approved and provide notice in advance. All change management processes are documented. Notices are communicated to customers via email and service console, ideally scheduled during regular maintenance windows, though short-notice, emergency changes can occur.
Processes include technical peer review including change rollback, full testing and approval. Changes are rippled through the full environment,
Bluemix does not configure/manage customer deployments, they must implement configuration and change management processes.
Vulnerability management type Undisclosed
Vulnerability management approach IBM seek to ensure protection through monitoring and vulnerability scans, run on the entire IP range on the management network. Vulnerabilities are assigned a CVSS score and ticket/due date.
Actions go through change management to reduce disruption to services, notices are communicated via email & service console.
Emergency changes may occur usually as a result of particular perceived security threat/immediate risk to service. always weighed against service disruption
Customers have responsibility for vulnerability/threat management within workloads; IBM provide access to security software, appliances and two-factor authentication tools - the management network provides access to patch management services.
Protective monitoring type Undisclosed
Protective monitoring approach Environment is fully monitored; key security and operational metrics gathered/analyzed
Alerts, offenses/incidents are tracked until resolved, and after-action information collected; configuration includes alarms providing early warnings of events.
Monitoring is backed by industry standard incident management policies/procedures, DCs staffed on a 24x7x365 basis so all incidents are reacted to and dealt with consistently.
Monitoring is configured to detect security-based attacks, such as Denial of Service with detailed procedures if such an attack is identified
Customer portal has a Local Network Status displaying active issues
Incident management type Undisclosed
Incident management approach IBM has a fully documented incident management with swift response, ensuring personnel understand roles/responsibilities through to resolution.
Data centres are staffed and monitored, with proactive monitoring of the underlying infrastructure; incidents identified are acted upon without delay, avoiding or minimizing service disruption.
IBM SOC maintains incident response procedures, when tooling triggers the incident is tracked, if customer impact SOC involves IBM CSIRT.
Processes are regularly and independently audited as part of ISO 27001 compliance.
Customers report incidents via the 24/7 Box panel portal - typical initial response within 15 minutes. More immediate responses are via phone or chat

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £5882 per unit per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Fully functional OpenStack cloud consisting of HA Firewalls and 3 x compute nodes.
Typically this is provided for a 30 day period.
Other options available upon request.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑