Role-based access controls
Help support compliance requirements and keep your cloud-bound sensitive data secure. Role-based access controls allow an administrator to define a second layer of data access control policies that are based upon roles and job functions, including managing privileged access and escalation.
Distinct separation of duties
By default, Multi-Cloud Data Encryption creates two distinct roles – one for the Product Administrator and one for the Security Administrator – to keep roles separate.
Advanced cryptographic splitting technology
Cryptographic splitting technology helps assure sensitive data confidentiality, privacy, and protection against brute force attacks. IBM Multi-Cloud Data Encryption, with its SPxCore™ , combines FIPS-140-2 certified AES 256-bit encryption and cryptographic splitting.
Integrated, certified and KMIP-compatible key management
Using integrated and transparent built-in key management, all phases of the key lifecycle from key creation to deletion stay in your control. External key management is also supported with KMIP-certified key managers such as IBM's Security Key Lifecycle Manager.
Streamlined management console
The centralized management console provisions, deploys and manages encryption agents across the enterprise. Organizations can host the management console wherever they choose, including on-premises, allowing them to keep keys out of the cloud while managing data protection remotely.
File and volume-level encryption agents
Deploy agents that encrypt data at the volume or file level. The volume encryption agent is a virtual block device that once installed is mounted to look like an attached disk. The file encryption agent works at the file-level based upon fine-grained file or directory level policies.
Object store encryption agent with patented data splitting
Securely leverage on premises or cloud based S3 object storage with client-side encryption key and access control. The object store agent leverages cryptographic splitting to send shares of encrypted data to multiple object store locations or multiple CSPs for resiliency and recovery.
Data access log forwarding to leading SIEM solutions
Log all data access requests as “approved” or “denied” per defined user, group or process-based policy. The reliable event capture feature can be forwarded to event management systems, such as IBM’s QRadar SIEM, for analysis.
RESTful APIs for ease of integration, automation, and scale
Multi-Cloud Data Encryption functions are available via RESTful API so that automation can be easily applied. Large-scale deployments can be managed using the API and basic scripting.