March 10, 2020 By Michael Jordan 3 min read

In my discussions with CIOs and CISOs in organizations around the globe, I’ve noticed a common concern. How can these organizations keep business and customer data private and protected as they transform for hybrid multicloud?

As the volume and complexity of data sharing grows this concern is increasingly validated. According to the 2018 Third-Party Data Risk Study by Opus and Ponemon, 59 percent of companies experienced a data breach caused by a third party[1]. As research company Enterprise Management Associates (EMA) notes in a recent paper sponsored by IBM, data sharing is a common part of business today and data theft is almost equally as common[2]. And because applications span hybrid multicloud environments, much of your customer data may live in the public cloud and may be shared frequently with your external business partners.

Data security solutions to address these concerns exist, but many are siloed. As data moves from one place to another, that data must be independently protected at every stop along the way, resulting in protection that can be fragmented, rather than end-to-end.  Organizations moving more workloads to hybrid multicloud environments must ensure that data within these environments is protected effectively.

Read on to learn how recent enhancements to the IBM Z® platform help you keep data protected and private in the hybrid multicloud.

Extend data privacy and protection with Data Privacy Passports

One advantage IBM Z enjoys when it comes to security is that we own the z/OS operating system and software stack. This allows us to design security into the platform from the chip to the software stack, and continuously innovate and react to or anticipate customer needs by adding new capabilities. Recently we announced IBM Data Privacy Passports, a data privacy and security enforcement solution with off-platform access revocation. Now you can protect data and provide need-to-know access to data as it moves away from the system of record. Just as a passport allows you to travel beyond your home country’s borders with your government’s protection, Data Privacy Passports allows data to move beyond your data center while retaining the protection provided on IBM Z.

Securely build, deploy and manage mission-critical applications with IBM Hyper Protect Virtual Servers

Many technologies aim to protect applications in production, but the build phase may expose applications to vulnerabilities. IBM Hyper Protect Virtual Servers are designed to protect Linux® workloads on IBM Z and LinuxONE throughout the application lifecycle by combining several built-in capabilities from the hardware, firmware and operating system. You can build applications with integrity through a secure build Continuous Integration Continuous Delivery (CICD) pipeline flow. Through this CICD, developers can validate the code that is used to build their images, which helps reassure their users of the integrity level of their applications. After deploying, administrators can use RESTful APIs to manage the application infrastructure — without having access to those applications or their sensitive data.

Clients such as KORE Technologies and Phoenix Systems can address tampering and unauthorized access to data by isolating memory and restricting command-line access for administrators. “It’s crucial that we can push code out to our customer environments quickly and efficiently, ” says Isabella Brom, COO at KORE Technologies. “With IBM Hyper Protect Virtual Servers we can do that, while protecting our clients’ digital assets from compromise either from outside or from within.”

Protect data in flight with IBM Fibre Channel Endpoint Security

With pervasive encryption, you can decouple data protection from data classification by encrypting data for an application or database without requiring costly application changes. The design of new IBM Fibre Channel Endpoint Security for IBM z15™ extends the value of pervasive encryption by protecting data flowing through the Storage Area Network (SAN) from IBM z15™ to IBM DS8900F or between Z platforms. This occurs independent of the operating system, file system, or access method in use, and can be used in combination with full disk encryption to ensure SAN data is protected both in-flight and at-rest.

Redact sensitive data with IBM Z Data Privacy for Diagnostics

Even though IBM has earned a reputation for being a stable platform, problems do occur and diagnosing these problems often requires organizations to send diagnostic reports to IBM or other vendors. It is possible for sensitive data to be captured as part of the error reporting process and there is no easy way for an organization to determine what data has been captured. This can pose a problem for compliance with data privacy regulations. With IBM Z Data Privacy for Diagnostics, a z/OS capability available on IBM z15™, you maintain control when working with third-party vendors by redacting data tagged as sensitive and creating a protected diagnostic dump that can  be shared externally.

[1] 2018 Data Risk in the Third-Party Ecosystem: Third Annual Study. Opus and Ponemon Institute, 2018. Written permission to use stat received 5 March 2020.  URL:

[2] “Managing Data in a Dangerous World: The State of Data Protection.” Enterprise Management Associates. Paper commissioned by IBM. URL:

Was this article helpful?

More from Cybersecurity

How to implement the General Data Protection Regulation (GDPR)

10 min read - The General Data Protection Regulation (GDPR), the European Union's landmark data privacy law, took effect in 2018. Yet many organizations still struggle to meet compliance requirements, and EU data protection authorities do not hesitate to hand out penalties. Even the world's biggest businesses are not free from GDPR woes. Irish regulators hit Meta with a EUR 1.2 billion fine in 2023. Italian authorities are investigating OpenAI for suspected violations, even going so far as to ban ChatGPT briefly. Many businesses…

What are breach and attack simulations?

4 min read - Breach and Attack Simulation (BAS) is an automated and continuous software-based approach to offensive security. Similar to other forms of security validation such as red teaming and penetration testing, BAS complements more traditional security tools by simulating cyberattacks to test security controls and provide actionable insights. Like a red team exercise, breach and attack simulations use the real-world attack tactics, techniques, and procedures (TTPs) employed by hackers to proactively identify and mitigate security vulnerabilities before they can be exploited by…

Not every DNS traffic spike is a DDoS attack 

4 min read - You’re a network administrator going about your normal business. Suddenly, you’re seeing a huge spike in inbound traffic to your website, your application or your web service. You immediately shift resources around to cope with the changing pattern, using automated traffic steering to shed load away from overburdened servers. After the immediate danger has passed, your boss asks: what just happened?  Is it really a DDoS attack?  It’s tempting to raise a false alarm in these situations. Distributed denial of…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters