Cloud
Security
November 5, 2019 By Andrew Guerra
Dale Hoffman
Rohit Badlaney
Mike Turner
3 min read

Enterprise clients on a digital transformation journey are looking to move workloads to the public cloud.

However, we have seen that customers are still wary of moving sensitive data and associated workloads. Per the 2019 report by the Ponemon Institute, sponsored by IBM Security*, the average cost of a data breach is $3.92M. Customers, especially in regulated industries like the Financial Services Sector and Healthcare, seem to prefer to use their own cloud encryption keys to be assured no one has access to these keys. In many cases, clients are finding this is also necessary to meet their regulatory compliance requirements.

To cater to this growing need, IBM and HyTrust are announcing the industry’s highest certified level of protection** for data encryption keys through the integration of HyTrust DataControl Virtual Workload Protection Solution with IBM Cloud Hyper Protect Crypto Services (HPCS), a single-tenant, dedicated, customer-controlled cloud Hardware Security Module (HSM) service.

IBM Cloud Hyper Protect Crypto Services

IBM Cloud Hyper Protect Crypto Services is built on the industry’s first and only FIPS 140-2 Level 4 certified Hardware Security Module (HSM)*** available in the public cloud. The Level 4 certification provides industry-leading protection against tampering with the HSM. Level 4, in part, requires physical security mechanisms and tamper response when it detects various forms of environmental attack (e.g., voltage or temperature fluctuations).

If any threat is detected, keys stored in the device are automatically erased, thereby protecting critical virtual resources protected by these keys. Additionally, the service runs in IBM LinuxONE secured enclaves in the IBM Cloud, which provides functionality so that no one, including cloud admins, has access to encryption keys at any point. The fully managed HSM can save customers the time and effort of provisioning and maintaining the hardware and allows customers to easily add additional instances when they need to scale, whether on-premises, in the cloud, or in a hybrid cloud model.

HyTrust DataControl

HyTrust DataControl is a universal virtual workload protection solution that empowers VMware virtual admins to quickly and safely encrypt sensitive workloads on-premises and in the hybrid cloud.

The integration between HyTrust DataControl and IBM Cloud Hyper Protect Crypto Services enables a level of encryption key protection never before possible. Encryption key lifecycle management operations (create, delete, store, and expiry) move from the key management server (KMS) to the HSM, such that upon tampering with the HSM, the affected encryption keys are automatically destroyed, including downstream encryption keys. Critical virtual resources remain protected by DataControl and IBM Cloud Hyper Protect Crypto Services. HyTrust-enabled VMware customers can comfortably extend their environment into IBM Cloud while maintaining the security and control they need.

Customer benefits from the HyTrust-Hyper Protect Crypto Services integration

  • Workload lifecycle encryption management—from boot to decommissioning—with complete control of encryption keys.
  • Support for Keep Your Own Key (i.e., maintain exclusive control of the encryption keys and full key hierarchy, including the HSM Master Key).
  • Zero downtime VMware workload encryption and rekeying; encryption travels with VM.
  • Data encryption and controls on privileged access, which mitigates risk of data compromise and supports regulatory compliance.
  • Flexibility for extending encryption operations to the cloud in a hybrid model.

IBM Cloud’s commitment to security

As part of a long-standing relationship between IBM Cloud and HyTrust, this current collaboration only strengthens the security capabilities of the existing IBM Cloud Secure Virtualization (ICSV) solution offered by IBM Cloud, VMware, HyTrust, and Intel. By both building on ICSV infrastructure and utilizing the HyTrust-Hyper Protect Crypto Services element, clients can take advantage of these powerful solutions in an integrated model for the most effective data security controls in the Cloud.

Our commitment to security was on full display at VMworld US in August 2019, when IBM Cloud announced integration of the Caveonix and Fortinet platforms with the IBM Cloud Secure Virtualization solution. This new service package for workload security and compliance readiness, incorporated with the Hyper Protect Crypto Services solution, allows IBM Cloud to drive a more comprehensive security approach aimed to protect workloads from different threat vectors in the stack. As a secure by design platform, IBM Cloud for VMware Solutions has been purpose-built for the most highly regulated and business-critical workloads.  

* The Cost of a Data Breach Report – 2019

** IBM PCIe Crypto Card

*** The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to approve cryptographic modules. It is issued by the National Institute of Standards and Technology (NIST). Level 4 is the highest level of security.

Andrew Guerra
Offering Manager - IBM Cloud for VMware Solutions
Dale Hoffman
Director of VMware Offering Solutions
Rohit Badlaney
GM, IBM Cloud Product and Industry Platforms
Mike Turner
VP of Sales Engineering, HyTrust

More from Cloud
May 20, 2024

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

May 15, 2024

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

May 15, 2024

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters