We’re taking another step forward in our mission to help you achieve continuous security and compliance by giving you the option to manage your own data encryption.
Organizations in many industries — such as financial institutions — are required to meet policies and controls that ensure that they are abiding by regulatory compliance obligations. These highly regulated institutions, along with the providers that service them, require a secure framework that helps to validate the standards that they must meet, such as data security controls. Complete control of data — including the encryption and security of it — is a key requirement for organizations that run sensitive workloads and applications in the cloud. With the Security and Compliance Center, not only can you validate that your workload and application data is managed correctly, but you can also own and manage the encryption for the data that is generated by the service.
What kind of data is generated by the service?
When you work with the Security and Compliance Center, you have the option to own encryption for the data that is generated by either Security Insights or compliance scans that are run on your resources. However, customer-managed encryption for Configuration Governance is not available at this time.
Compliance scans are run on your resources to help determine your adherence to the internal and external regulations that you must meet for your industry:
- To run compliance scans, you must first create and install a collector that has access to your resources.
- Next, you complete your set-up steps, such as determining whether to own your encryption, creating a scan by targeting a specific area of your organization, providing credentials and choosing which goals you'd like to validate your resources against.
- When it's time, the Security and Compliance Center tells the collector to start scanning your resources.
- The scan is run and the results are returned through the collector.
- The collector forwards the results to a database, where they are stored for 30 days.
- Your results are analyzed to determine your current posture and then displayed as a summary in a dashboard.
- If you need to keep your results for longer, you can always download your results and store them in an IBM Cloud Object Storage bucket that you own and manage.
Security Insights generates data that is related to your current security posture:
- To get started with Security Insights, you configure your data settings and enable the Insights options for which you want to monitor.
- The service continuously monitors your VPC flow logs, Activity Tracker with LogDNA data, custom security tools or your integrations with our business partners (such as Caveonix) for potential risk.
- When a finding is flagged, it is forwarded to a database and stored for up to 90 days. Findings contain information about configuration issues, potential vulnerabilities or custom information as defined by you.
- The findings are also displayed in the Insights dashboard of the Security and Compliance Center to give you a place to review and remediate findings as they're found.
How does encryption work by default?
Security and Compliance Center uses a process called envelope encryption to implement IBM or customer-managed encryption keys. By default, the encryption keys that secure your data are generated on your behalf through Key Protect and managed by IBM. If you want to take advantage of Bring Your Own Key (BYOK) or Keep Your Own Key (KYOK) capabilities, you can manage your own encryption through one of the integrated key management services.
How can I enable my own encryption?
Depending on your use case and security requirements, the key management service that is most suited for your organization's needs can vary. For a more detailed comparison of the services, see "How is Hyper Protect Crypto Services different from Key Protect?"
- IBM Key Protect for IBM Cloud: Key Protect helps you provision encrypted keys for your applications and IBM Cloud services. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against the theft of information. With the service, you can wrap your data encryption keys with a highly secure root key that you can either bring yourself or generate through the service.
- IBM Cloud Hyper Protect Crypto Services: Hyper Protect Crypto Services is a dedicated key management service and HSM that provides you with the Keep Your Own Key capability for cloud data encryption. Built on FIPS 140-2 Level 4 certified hardware, Hyper Protect Crypto Services allows you to have exclusive control of your encryption keys. In addition to the BYOK capabilities, KYOK provides technical assurance that IBM cannot access the customer keys. With KYOK, you have exclusive control of the entire key hierarchy including the master key.
How can I get started?
If you're already using the Security and Compliance Center to monitor your current posture, you can enable your own encryption in the Data Settings tab of the service UI. But, before you do, be sure that you have the correct IAM policies in place:
New to the Security and Compliance Center? Try walking through our step-by-step tutorial to get started. Or, to learn more about how to manage encryption settings for your Security and Compliance Center data, see "Enabling customer-managed keys."
In order to ensure that we are helping you to deliver on your own mission, we'd like to hear from you with any feedback that you might have. To share your questions, comments, raves or concerns with us, use the Feedback button that can be found on any page of cloud.ibm.com.