Enterprise clients on a digital transformation journey are looking to move workloads to the public cloud.

However, we have seen that customers are still wary of moving sensitive data and associated workloads. Per the 2019 report by the Ponemon Institute, sponsored by IBM Security*, the average cost of a data breach is $3.92M. Customers, especially in regulated industries like the Financial Services Sector and Healthcare, seem to prefer to use their own cloud encryption keys to be assured no one has access to these keys. In many cases, clients are finding this is also necessary to meet their regulatory compliance requirements.

To cater to this growing need, IBM and HyTrust are announcing the industry’s highest certified level of protection** for data encryption keys through the integration of HyTrust DataControl Virtual Workload Protection Solution with IBM Cloud Hyper Protect Crypto Services (HPCS), a single-tenant, dedicated, customer-controlled cloud Hardware Security Module (HSM) service.

IBM Cloud Hyper Protect Crypto Services

IBM Cloud Hyper Protect Crypto Services is built on the industry’s first and only FIPS 140-2 Level 4 certified Hardware Security Module (HSM)*** available in the public cloud. The Level 4 certification provides industry-leading protection against tampering with the HSM. Level 4, in part, requires physical security mechanisms and tamper response when it detects various forms of environmental attack (e.g., voltage or temperature fluctuations).

If any threat is detected, keys stored in the device are automatically erased, thereby protecting critical virtual resources protected by these keys. Additionally, the service runs in IBM LinuxONE secured enclaves in the IBM Cloud, which provides functionality so that no one, including cloud admins, has access to encryption keys at any point. The fully managed HSM can save customers the time and effort of provisioning and maintaining the hardware and allows customers to easily add additional instances when they need to scale, whether on-premises, in the cloud, or in a hybrid cloud model.

HyTrust DataControl

HyTrust DataControl is a universal virtual workload protection solution that empowers VMware virtual admins to quickly and safely encrypt sensitive workloads on-premises and in the hybrid cloud.

The integration between HyTrust DataControl and IBM Cloud Hyper Protect Crypto Services enables a level of encryption key protection never before possible. Encryption key lifecycle management operations (create, delete, store, and expiry) move from the key management server (KMS) to the HSM, such that upon tampering with the HSM, the affected encryption keys are automatically destroyed, including downstream encryption keys. Critical virtual resources remain protected by DataControl and IBM Cloud Hyper Protect Crypto Services. HyTrust-enabled VMware customers can comfortably extend their environment into IBM Cloud while maintaining the security and control they need.

Customer benefits from the HyTrust-Hyper Protect Crypto Services integration

  • Workload lifecycle encryption management—from boot to decommissioning—with complete control of encryption keys.
  • Support for Keep Your Own Key (i.e., maintain exclusive control of the encryption keys and full key hierarchy, including the HSM Master Key).
  • Zero downtime VMware workload encryption and rekeying; encryption travels with VM.
  • Data encryption and controls on privileged access, which mitigates risk of data compromise and supports regulatory compliance.
  • Flexibility for extending encryption operations to the cloud in a hybrid model.

IBM Cloud’s commitment to security

As part of a long-standing relationship between IBM Cloud and HyTrust, this current collaboration only strengthens the security capabilities of the existing IBM Cloud Secure Virtualization (ICSV) solution offered by IBM Cloud, VMware, HyTrust, and Intel. By both building on ICSV infrastructure and utilizing the HyTrust-Hyper Protect Crypto Services element, clients can take advantage of these powerful solutions in an integrated model for the most effective data security controls in the Cloud.

Our commitment to security was on full display at VMworld US in August 2019, when IBM Cloud announced integration of the Caveonix and Fortinet platforms with the IBM Cloud Secure Virtualization solution. This new service package for workload security and compliance readiness, incorporated with the Hyper Protect Crypto Services solution, allows IBM Cloud to drive a more comprehensive security approach aimed to protect workloads from different threat vectors in the stack. As a secure by design platform, IBM Cloud for VMware Solutions has been purpose-built for the most highly regulated and business-critical workloads.  

* The Cost of a Data Breach Report – 2019

** IBM PCIe Crypto Card

*** The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to approve cryptographic modules. It is issued by the National Institute of Standards and Technology (NIST). Level 4 is the highest level of security.


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…