FAQs About Managing Your Own Encryption in Security and Compliance Center

3 min read

Have questions about the ability to manage the encryption of your data in the IBM Cloud Security and Compliance Center? We're here to help!

When you work with the IBM Cloud Security and Compliance Center, data accumulates as part of the scans that are run on your resources. If you work in a highly regulated industry, it is important to understand how to manage the encryption of the generated data. As we mentioned in our previous blog, you can now cryptographically protect your data by using your own keys.

How can I check which key is being used in the Security and Compliance Center?

You might use the same keys for many different purposes within IBM Cloud. The Security and Compliance Center marks an association with the keys that it uses to secure the data. Check out the following image to see how to view the association:

You might use the same keys for many different purposes within IBM Cloud. The Security and Compliance Center marks an association with the keys that it uses to secure the data.

In order to protect against the accidental loss of keys, you cannot delete a key that is associated with the Security and Compliance Center without disabling the connection so that you can remove the data.  

If I disable a key, how long does it take the service to detect it?

The Security and Compliance Center is configured to detect key disable events through standard IBM crypto eraser capabilities. To see how quickly the service responds when a key is disabled, try disabling a key and then navigate the Findings page of the UI. You will see a response similar to the one shown in the following image within a few seconds:

You will see a response similar to the one shown in the following image within a few seconds:

If you suspect that your data or key becomes compromised, you can disable the keys in key protect until you're sure it's safe. Then you can reenable it. Shredding data like this is called crypto shredding.

Is there a way to watch the keys and be alerted to any change?

One of the most important aspects of keeping your data safe is visualizing your security posture. Luckily, Security Insights has an answer for this. You can use Activity Insights to continuously monitor your keys and be alerted if any change occurs. 

What if I need the highest level of security?

Although IBM Key Protect for IBM Cloud fully protects your data, you might want to enable another level of security. The Security and Compliance Center is also integrated with IBM Cloud Hyper Protect Crypto Services, which is a single-tenant key management service that is backed by a FIPS140-2 level 4 certified Hardware Security Model (HSM). Hyper Protect Crypto Services supports keep your own key (KYOK) and bring your own key (BYOK) functionality: 

Hyper Protect Crypto Services supports keep your own key (KYOK) and bring your own key (BYOK) functionality: 

What are some best practices?

When you work with Security and Compliance Center data, there are a few best practices to keep in mind to ensure that your data is always secure.

  1. Rotate your keys.
  2. Set fine-grained access control policies.

In Key Protect, you can assign various levels of access to limit the number of people who have access to your keys. You can also update the access later if a need to tighten security around your data occurs. 

How can I get started?

To get started, read the announcement blog and then enable your own encryption in the Data Settings tab of the service UI.

Feedback

In order to ensure that we are helping you to deliver on your own mission, we'd like to hear from you with any feedback that you might have. To share your questions, comments, raves or concerns with us, use the Feedback button that can be found on any page of cloud.ibm.com.

Be the first to hear about news, product updates, and innovation from IBM Cloud