By Chris Rosen Sowmya Nataraj 3 min read
November 14, 2019

Announcing the integration of Red Hat OpenShift on IBM Cloud and IBM Cloud Kubernetes Service with IBM Cloud Hyper Protect Crypto Services.

Moving confidential data and workloads to the cloud brings up challenges with ensuring the right security controls are in place to protect the data. Customers want to ensure that their data and IP are safe from both internal and external threats. IBM recently announced industry-leading security capabilities to enable enterprise customers who are looking to store highly sensitive data in the public cloud.

The industry’s highest level of encryption key protection is now available for IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud through integration with IBM Cloud Hyper Protect Crypto Services.

What is IBM Cloud Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a single-tenant Key Management Service and a Cloud Hardware Security Module (HSM) service. Key vaulting is provided by dedicated, customer-controlled cloud HSMs that are built on FIPS 140-2 Level 4-certified (tamper-proof) hardware, the highest offered by any cloud provider in the industry. The service offers Keep Your Own Key (KYOK) capabilities, which allow customers to have exclusive key control— only authorized users have access (no privileged users, including IBM Cloud admins, have access) to encryption keys.

What is Red Hat OpenShift on IBM Cloud?

Red Hat OpenShift on IBM Cloud is a managed service that simplifies deployment and configuration of the OpenShift Container Platform. As a managed service, IBM will automate initial provisioning as well as ongoing maintenance, including operating system patches, vulnerability remediation, and any updates in the OpenShift stack. 

What is the IBM Cloud Kubernetes Service?

IBM Cloud Kubernetes Service is a managed container service offering that leverages Kubernetes as the container orchestration solution. It delivers powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications, all while leveraging Cloud Services and cognitive capabilities from Watson. As a certified CNCF K8s provider, IBM Cloud Kubernetes Service provides native Kubernetes capabilities like intelligent scheduling, self-healing, horizontal scaling, service discovery and load balancing, automated rollouts and rollbacks, and secret and configuration management.

Protecting sensitive data in applications

When it comes to cloud native applications built with Kubernetes, data protection should cover both Kubernetes secrets and the persistent datastores used by the apps. IBM Cloud Kubernetes Service already provides support for Bring Your Own Key (BYOK) through integration with IBM Key Protect. Key Protect is a multi-tenant service with key vaulting provided by IBM-controlled, FIPS 140-2 Level 3 certified Hardware Security Modules (HSM).

Exclusive key control with KYOK

Customers looking to safeguard highly sensitive data want to use their own keys for encryption and also require complete control of their encryption keys. For these customers, Hyper Protect Crypto Services provides exclusive control over the entire key hierarchy, including the master key of the HSM that protects the secrets. The Level-4 certification assures that the HSM is tamper-proof—it can sense any attempt to compromise the HSM via physical, chemical, or environmental changes and immediately responds by auto-erasing the keys stored, which then invalidates the data that the keys protect.

  • Kubernetes secrets: A secret is an object that stores sensitive data like a password, a token, or a key. There are built-in secrets that are created automatically by Kubernetes, such as the secret containing credentials for access the API endpoint. There are also user-created secrets, such as storing access information to leverage other IBM Cloud services, including Watson and IBM Cloud Container Registry. By default, the Kubernetes master (API server) stores secrets as base64 encoded plain text in etcd. In order to enable customer-managed encryption control for the secrets, IBM Kubernetes Service now provides support for Keep Your Own Key (KYOK) through integration with Hyper Protect Crypto Services.
  • Persistent datastores used by the app: IBM Cloud Kubernetes Service allows customers to store data on persistent storage. Supported storage types include VPC Block Storage and Cloud Object Storage, both of which integrate with Hyper Protect Crypto Services to provide customers with KYOK capability.

The KYOK integration is also available for Red Hat OpenShift on IBM Cloud for protection of Kubernetes secrets.

Learn more

For more information, see “Protecting sensitive information in your cluster.”

For general questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Categories

Cloud  |  compute
Chris Rosen
Program Director, Offering Management
Sowmya Nataraj
Offering Manager, IBM Cloud Hyper Protect Services

More from Cloud
October 2, 2023

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

September 29, 2023

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

September 26, 2023

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

September 26, 2023

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…