Dedicated security components in an IT infrastructure ensure the protection of data, infrastructure, and processes.
In many cases, providing security in a level beyond software requirements enables secure and reliable use cases. Being in control and being able to express possession of sensitive data often is a prerequisite when an enterprise considers moving data to the cloud.
Keep Your Own Key (KYOK)
IBM Cloud Hyper Protect Crypto Services introduces the new and powerful concept of Keep Your Own Key (KYOK), which acts as an extension to Bring your Own Key (BYOK). With KYOK, you stay in control of your essential secure key infrastructure at any time, while benefiting from a seamless integration into IBM Cloud services. With IBM Cloud Hyper Protect Services, you fully leverage the proven technology that is co-developed and operated by large enterprises for managing their most sensitive data.
The cryptographic capabilities of Hyper Protect Crypto Services are built on top of the FIPS 140-2 Level 4 Certified Hardware Security Module. As IBM is starting to provide a new set of capabilities to support your workloads moving to the cloud, you can benefit from the cryptographic capabilities of HPCS for both your new and existing workloads. With the introduction of Enterprise PKCS#11 over gRPC, you have access to a full range of cryptographic operations, such as signing, signature validation, message authentication codes, random number generation.
The unique concept of the IBM Cloud Hyper Protect Crypto Services puts the Hardware Security Module (HSM) in the center of your single-tenant cryptographic infrastructure. It is possible for you to access Key Management and HSM-based cryptographic functions through a single service instance with a unified user interface. Built as a cloud-native service, Hyper Protect Crypto Services becomes your prime choice for reliable and scalable cryptographic operations.
Private service endpoint available
You can now connect to Hyper Protect Crypto Services over the IBM Cloud private network by targeting a private endpoint for the service. The private endpoint is currently only available for the key management service.
The managed cloud Hardware Security Module (HSM) supports Enterprise Public-Key Cryptography Standards (PKCS) #11, so your applications can integrate cryptographic operations like digital signing and validation via Enterprise PKCS#11 (EP11) API. The EP11 library provides an interface very similar to the industry-standard PKCS #11 API.
Hyper Protect Crypto Services provides a set of Enterprise PKCS #11 (EP11) APIs over gRPC calls (also referred to as GREP11), with which all the Crypto functions are executed in HSM on cloud. GREP11 is designed to be a stateless interface for cloud programs.