Enterprise clients on a digital transformation journey are looking to move workloads to the public cloud.
However, we have seen that customers are still wary of moving sensitive data and associated workloads. Per the 2019 report by the Ponemon Institute, sponsored by IBM Security*, the average cost of a data breach is $3.92M. Customers, especially in regulated industries like the Financial Services Sector and Healthcare, seem to prefer to use their own cloud encryption keys to be assured no one has access to these keys. In many cases, clients are finding this is also necessary to meet their regulatory compliance requirements.
To cater to this growing need, IBM and HyTrust are announcing the industry’s highest certified level of protection** for data encryption keys through the integration of HyTrust DataControl Virtual Workload Protection Solution with IBM Cloud Hyper Protect Crypto Services (HPCS), a single-tenant, dedicated, customer-controlled cloud Hardware Security Module (HSM) service.
IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect Crypto Services is built on the industry’s first and only FIPS 140-2 Level 4 certified Hardware Security Module (HSM)*** available in the public cloud. The Level 4 certification provides industry-leading protection against tampering with the HSM. Level 4, in part, requires physical security mechanisms and tamper response when it detects various forms of environmental attack (e.g., voltage or temperature fluctuations).
If any threat is detected, keys stored in the device are automatically erased, thereby protecting critical virtual resources protected by these keys. Additionally, the service runs in IBM LinuxONE secured enclaves in the IBM Cloud, which provides functionality so that no one, including cloud admins, has access to encryption keys at any point. The fully managed HSM can save customers the time and effort of provisioning and maintaining the hardware and allows customers to easily add additional instances when they need to scale, whether on-premises, in the cloud, or in a hybrid cloud model.
HyTrust DataControl is a universal virtual workload protection solution that empowers VMware virtual admins to quickly and safely encrypt sensitive workloads on-premises and in the hybrid cloud.
The integration between HyTrust DataControl and IBM Cloud Hyper Protect Crypto Services enables a level of encryption key protection never before possible. Encryption key lifecycle management operations (create, delete, store, and expiry) move from the key management server (KMS) to the HSM, such that upon tampering with the HSM, the affected encryption keys are automatically destroyed, including downstream encryption keys. Critical virtual resources remain protected by DataControl and IBM Cloud Hyper Protect Crypto Services. HyTrust-enabled VMware customers can comfortably extend their environment into IBM Cloud while maintaining the security and control they need.
Customer benefits from the HyTrust-Hyper Protect Crypto Services integration
- Workload lifecycle encryption management—from boot to decommissioning—with complete control of encryption keys.
- Support for Keep Your Own Key (i.e., maintain exclusive control of the encryption keys and full key hierarchy, including the HSM Master Key).
- Zero downtime VMware workload encryption and rekeying; encryption travels with VM.
- Data encryption and controls on privileged access, which mitigates risk of data compromise and supports regulatory compliance.
- Flexibility for extending encryption operations to the cloud in a hybrid model.
IBM Cloud’s commitment to security
As part of a long-standing relationship between IBM Cloud and HyTrust, this current collaboration only strengthens the security capabilities of the existing IBM Cloud Secure Virtualization (ICSV) solution offered by IBM Cloud, VMware, HyTrust, and Intel. By both building on ICSV infrastructure and utilizing the HyTrust-Hyper Protect Crypto Services element, clients can take advantage of these powerful solutions in an integrated model for the most effective data security controls in the Cloud.
Our commitment to security was on full display at VMworld US in August 2019, when IBM Cloud announced integration of the Caveonix and Fortinet platforms with the IBM Cloud Secure Virtualization solution. This new service package for workload security and compliance readiness, incorporated with the Hyper Protect Crypto Services solution, allows IBM Cloud to drive a more comprehensive security approach aimed to protect workloads from different threat vectors in the stack. As a secure by design platform, IBM Cloud for VMware Solutions has been purpose-built for the most highly regulated and business-critical workloads.
*** The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to approve cryptographic modules. It is issued by the National Institute of Standards and Technology (NIST). Level 4 is the highest level of security.