February 14, 2023 By jason-mcalpin 5 min read

Expand to hybrid cloud, encrypt your data and manage your encryption keys.

Data is the currency of the 21st century. Bringing data and processes from legacy systems to the cloud requires that data at rest, data in transit and data in use are handled consistently with prevailing data security guidelines. It’s no surprise that organizations often mention security and data protection as the most significant barriers to moving sensitive applications and data to the public cloud. The adoption of cloud-based encryption software solutions is expected to grow, considering cloud technology’s ease of data maintenance, cost-effectiveness, scalability and streamlined data management.

Though cloud-ready architectures have several benefits in terms of simplicity and support for microservices, customers may still have concerns about data being mishandled by the cloud service provider. Organizations often want to not only encrypt their data in the cloud with their own keys, but also administer and control the encryption keys.

Organizations can use IBM Power Systems Virtual Server to expand their on-premises servers to modern-day hybrid cloud infrastructures, helping them to smoothly move and manage their workloads across cloud and on-premises environments. For cloud data encryption and multicloud key management, an organization can leverage IBM Hyper Protect Crypto Services to manage access to its data.

We are pleased to announce the availability of IBM Hyper Protect Crypto Services for AIX and Linux on IBM Power Systems Virtual Server.

What is Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a 3-in-1 solution, designed to give enterprises the following:

  1. A single-tenant, hybrid cloud key management service.
  2. Hardware Security Module (HSM) in the cloud.
  3. Multicloud key orchestration with Unified Key Orchestrator, a part of Hyper Protect Crypto Services.

IBM Hyper Protect Crypto Services allows customers to control their cloud data encryption keys (DEKs) and Cloud Hardware Security Module (HSM). Built on LinuxONE technology, the service runs on a secured enclave, which helps ensure that no one (including cloud administrators) can access another user’s keys.

Hyper Protect Crypto Services can provide both key management and encryption application programming interfaces (APIs) to help manage access to data and the lifecycle of encryption keys. By providing both of these important features, Hyper Protect Crypto Services is designed to offer extra layers of protection compared to solutions that offer only one of them.

You can integrate Hyper Protect Crypto Services with Power Virtual Server to securely store and protect encryption key information for AIX and Linux. This integration can be leveraged for encryption of AIX file systems and to help protect Linux Unified Key Setup (LUKS) encryption keys from being compromised. Hyper Protect Crypto Services acts as the single point of control to enable or disable access to data across the enterprise. Hyper Protect Crypto Services does this by successively wrapping encryption keys, with the ultimate control being a master key that resides in a hardware security module (HSM).

Distinguishing features

The distinguishing features and potential benefits of Hyper Protect Crypto Services on IBM Power Systems Virtual Server include the following:

  • Key control: Hyper Protect Crypto Services enables organizations to retain control of their data encryption keys. In contrast to Bring Your Own Key (BYOK) (which is more common in the industry), this capability is referred to as Keep Your Own Key (KYOK). BYOK requires that users trust another entity to handle their keys when bringing them to the cloud. KYOK, on the other hand, allows users to maintain control of their keys. Instead of handing the keys over to a program that stores the keys, an organization integrates the keys directly to the HSM. In this way, a user can keep their own keys within a dedicated customer-controlled module that the cloud service provider has no access to.
  • Security certification: Hyper Protect Crypto Services has data security procedures in place to help enterprises meet their security and compliance needs and protect their data in the cloud. Hyper Protect Crypto Services provides a dedicated hardware security module (HSM) to safeguard and manage cryptographic keys. Built on FIPS 140-2 Level 4 HSMs, Hyper Protect Crypto Services offers security for cloud-based HSMs and stores cryptographic key material without exposing keys outside of a cryptographic boundary.
  • Multicloud key management: Hyper Protect Crypto Services with Unified Key Orchestrator extends protection across cloud deployments. Organizations can manage keys for their internal keystores and across multiple cloud providers, including Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform. Their keys are protected by their own master key, which is stored in a hardware security module (HSM). You can manage the lifecycles of your keys from a single point of control, while the system keeps keys that are distributed in sync.
  • Integration with IBM Cloud Services: Organizations can integrate IBM Cloud services with Hyper Protect Crypto Services to build solutions to bring and manage their own encryption in the cloud. When they integrate a supported service with Hyper Protect Crypto Services, they enable envelope encryption for that service. With this integration, they can use a root key that they store in Hyper Protect Crypto Services to wrap the data encryption keys that encrypt their data at rest. For example, they can create a root key, manage the key in Hyper Protect Crypto Services and use the root key to protect the data that is stored across different cloud services.

Built on the ‘Keep Your Own Key’ technology, Unified Key Orchestrator helps enterprises manage their data encryption keys across multiple key stores and across multiple clouds environments, including keys managed on-premises or on IBM Cloud, AWS and Microsoft Azure.

Start reaping the benefits

Many firms have now embraced a multicloud strategy, hosting workloads in a more cost-effective location, whether that be a public cloud or the organization’s own data center. However, in this case, safeguarding your data using encryption requires managing keys in silos on-premises and across various clouds, which may make it difficult to demonstrate compliance efforts, establish the correct security posture and preserve data governance and sovereignty. Managing keys across a hybrid cloud environment can be expensive and involves extensive security knowledge, and shifting workloads necessitates security teams learning different cloud key lifecycle management platforms.

Unified Key Orchestrator provides enterprises with a single control plane for all their encryption keys. The keys themselves are protected by the customer’s own master key on the service’s HSM. Hyper Protect Crypto Services with Unified Key Orchestrator enables transfer of keys to internal and external keystores used by customer-accessible services like Microsoft’s Azure Key Vault, Google Cloud Platform and AWS KMS. The service functions as a central hub for backing up an organization’s keys and can quickly redistribute keys to recover from errors resulting from lost keys.

IBM Power Systems Virtual Server with Hyper Protect Crypto Services is now available in 15 data centers across the globe. You can integrate Hyper Protect Crypto Services with Power Systems Virtual Server instances to securely store and protect encryption key information for AIX and Linux. Please refer to the product guide for additional information. Contact IBM today to get started with IBM Power Systems Virtual Server with Hyper Protect Crypto Services.

Collaboration at work

To help meet clients’ needs for encryption on CLAI Payments Technologies’ financial application (which runs on IBM i in PowerVS), IBM collaborated with First National Technology Solutions (FNTS) to build an encryption service tile for the IBM Cloud Catalog. FNTS provides encryption services for IBM i on PowerVS via this tile, and the tile allows clients running CLAI applications on PowerVS to add encryption services to these applications and operate CLAI applications on PowerVS with the same security level as on-premises.

IBM has also collaborated with FalconStor Software to bring enterprise-class data protection, disaster recovery, ransomware protection and cloud migration to IBM Power workloads. The Virtual Tape Library solution is designed to enable hybrid backup to the cloud and on-premises clients to easily migrate IBM i, AIX and Linux workloads to PowerVS. With its integrated deduplication, the solution removes redundant copies of data, thereby reducing capacity requirements and minimizing replication time. Please see Virtual Tape Library for Power and Virtual Tape Library for PowerVS to get started with this solution.

Our collaboration with FNTS, CLAI Payment Technologies and FalconStor Software exemplifies our commitment to meet our clients’ needs and create a more robust offering. Let’s work together to see how IBM Power Systems Virtual Server can help drive success for your business.

More from Announcements

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters