Rawat said IBM’s incident response appears slow and ineffective, hinting at procedural or resource limitations. The situation also raises concerns about IBM Cloud’s adherence to zero trust principles, its automation in threat response, and the overall enforcement of security controls.
“The recent IBM Cloud outages are part of a broader pattern of modern cloud dependencies being over-consolidated, under-observed, and poorly decoupled. Most enterprises — and regulators — tend to scrutinise cloud strategies through the lens of data sovereignty, compute availability, and regional storage compliance. Yet it is often the non-data-plane services—identity resolution, DNS routing, orchestration control — that introduce systemic exposure,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.
Gogia said this blind spot is not unique to IBM. Similar disruptions across other hyperscalers — ranging from IAM outages at Google Cloud to DNS failures at Azure — illustrate the same lesson: resilience must include architectural clarity and blast radius discipline for every layer that enables platform operability.
Such frequent outages can trigger immediate compliance alarms and lead to reassessments in tightly regulated industries like banking, healthcare, telecommunications, and energy, where even brief disruptions carry serious risks.
IBM did not immediately respond to a request for comment.
However, adding to the concerns, IBM had issued a security bulletin stating its QRadar Software Suite, its threat detection and response solution, had multiple security vulnerabilities. These included issues like a failure to invalidate sessions post-logout, which could lead to user impersonation, and a weakness allowing an authenticated user to cause a denial of service through to improperly validating API data input. To maintain security, IBM advised customers to update their systems promptly.