March 3, 2021 By Seongwook Park
Alex McMullen
3 min read

You want technical assurance that the environment you are creating has not been tampered with; the Secure Build process verifies the authenticity.

Since the addition of Bring Your Own Image to deploy custom images in IBM Cloud Hyper Protect Virtual Servers, clients are finding that there are countless opportunities to secure workloads in a public cloud environment. You can bring any supported type of image from a repository of your choosing, such as IBM Cloud Registry or Docker Hub, and gain the security benefits of Hyper Protect. As you work with these new customized environments, the cloud admin lockout is key to protecting applications in the cloud, but what about internal threats? You need a process to verify that a custom image is deployed with no tampering.

What are IBM Cloud Hyper Protect Virtual Servers?

Designed to address the topmost security concerns, Hyper Protect Virtual Servers provide a confidential computing environment to protect data and applications. Hyper Protect Virtual Servers provide technical assurance that workloads are protected in the cloud, meaning there is technology that prevents access by unauthorized users. Not even IBM Cloud administrators have access — a key differentiator. There is more than just an operational assurance, or promise, that IBM will not access the virtual server. All of this comes without sacrificing on performance or scalability.

What is Secure Build?

Secure Build is a process to build and deploy images using a trusted source and method. It creates a repeatable and definable process to create the images that is approved by the organization — in this case, you. This includes security checks throughout to verify that nothing abnormal or malicious is included in the containerized image. If any of these checks fail, the image will be rejected. In addition, the build automation process itself is encrypted within its own enclave, protected from all tampering. In summary, Secure Build allows you to inject audit capabilities in the build process, which ensures all images that are published and deployed are approved and signed by a security audit team.

This process starts with the developer writing the code for an application, all the way over to the final product that is deployed and maintained within the Virtual Server. The process guarantees the integrity of an image by inspecting each image before it is deployed and checks against the defined Secure Build Process so that it can verify what content resides within the image and that only authorized users can see the application, which protects against even internal administrators. This process can even be expanded out to include multiple users for an approval process, similar to requiring multiple authentications to unlock a secret.

How to use

When deploying an image using the Secure Build process, the enclave is highly isolated, meaning that developers must use a specific API to access the Secure Build Server (SBS). Neither Service Provider Admins (IBM Cloud Admins) nor System Admins (internal) can access the SBS or its contents. The application image created by the SBS (together with other relevant build output, such as the manifest file and encrypted registration file) is highly secured.

There are a couple easy steps to build an image using the Secure Build Process:

  1. Set up a Secure Build Server instance and use the Command Line Interface (CLI) to start the build using this instance.
  2. Pull the source code from a repository (such as GitHub) and use the source code’s Dockerfile to build an image.
  3. Sign the image and push it to a container registry (such as IBM Container Registry or Docker Hub).
  4. Create the manifest file and sign it (this verifies the source of the image and the integrity of the build).
  5. Create an encrypted registration file.
  6. Provision an instance of the application on Hyper Protect Virtual Servers using Bring Your Own Image.

For more details, please visit the Secure Build documentation and check out this tutorial — Using a Secure Build Server with a Digital Wallet.

Get started today

All users can get started with a 30-day free trial period to evaluate a Hyper Protect Virtual Servers instance. Try it now!

IBM Cloud Hyper Protect Virtual Servers are available today in the following Multi-Zone Regions (MZRs): Dallas, Washington D.C., Frankfurt and Sydney

Additional resources

More from Cloud

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters