Announcing the general availability of IBM Cloud Hyper Protect Crypto Services
Protecting data in the cloud can be a daunting exercise for customers. When it comes to moving sensitive and confidential data to the cloud, especially in regulated industries like FSS and Healthcare, customers require the use of their own data encryption keys and want to be assured that no one has access to these keys. In many cases, this is necessary to meet regulatory compliance requirements.
IBM offers now two choices for key management. IBM Cloud Key Protect supports Bring Your Own Key (BYOK) for protecting data at rest. Today, IBM Cloud is announcing the general availability of IBM Cloud Hyper Protect Crypto Services, a dedicated Key Management and Cloud HSM Service designed especially for customers looking for greater control over their data encryption keys and the hardware security modules (HSMs) that protect these keys. The service is now available in US South region, based out of Dallas, Texas.
Hyper Protect Crypto Services supports Keep Your Own Key (KYOK), which allows data encryption keys to be protected by a dedicated, customer-controlled HSM that uses FIPS 140-2 Level 4 certified hardware. Built on IBM LinuxONE technology and being part of the IBM Cloud Hyper Protect portfolio of services, this service guarantees that privileged users—including IBM Cloud administrators—have no access to customer keys. This provides an ideal base to onboard sensitive apps to the cloud. Key Protect and IBM Cloud Hyper Protect Crypto Services use a common Key Provider API to provide a consistent approach for managing keys.
What’s new for GA
High availability and disaster recovery: IBM Cloud Hyper Protect Crypto Services, which now supports three availability zones in a selected region, is a highly available service with automatic features that help keep your applications secure and operational. You can create IBM Cloud Hyper Protect Crypto Services resources in the supported IBM Cloud regions, which represent the geographic area where your IBM Cloud Hyper Protect Crypto Services requests are handled and processed.
Scalability: The service instance can be scaled out to a maximum of six crypto units to meet your performance requirement. Each crypto unit can crypto-process 5,000 keys. In a production environment, it is recommended to select at least two crypto units to enable high availability. By selecting three or more crypto units, these crypto units are distributed among three availability zones in the selected region.
Transition from Beta
If you already have an existing service instance, please move to the GA service at your earliest convenience. The service is provisioned in the IBM Cloud catalog; select Security and Identity -> Hyper Protect Crypto Services.
To transit keys from a Beta service instance to a GA instance, please follow the migration procedure documented here.
End of Beta Date: March 31, 2019
As of March 3, 2019, you cannot provision any new Hyper Protect Crypto Services Beta instances. However, existing Beta instances will continue to be supported until the End of Beta Support Date.
End of Beta Support Date: April 30, 2019
- For a period of 30 days after the End of Beta Date (through April 30, 2019), all existing Beta instances will continue to be available on the Services dashboard in the IBM Cloud console. All existing instances will also continue to be supported by IBM Cloud Hyper Protect Crypto Services.
- Any Beta instances still provisioned as of the End of Beta Support Date will be deleted.
- Please migrate your keys to IBM Cloud Hyper Protect Crypto Services GA instances and delete your Beta service instances before April 30, 2019.
Start using IBM Cloud Hyper Protect Crypto Services today!