Data security is critical, and it is a shared responsibility.
With ever-changing market dynamics and the need for our clients to support multiple use cases within their environments, Cloud Service Providers are held to higher standards as it pertains to satisfying the technology requirements. The chief requirement among them is the data security of end-user storage data.
At IBM, the security of client data is always a top priority. However, it is equally important for our clients to understand that data security is a shared responsibility. A good number of data security breaches could be prevented by ensuring that strict access control policies are in place and enforced throughout the data lifecycle. IBM is committed in sharing this responsibility with our clients to help ensure that they feel confident in storing data on IBM Cloud (see the “Security in the IBM Cloud” page for more information).
Security in IBM Cloud Object Storage
Designed and built with IBM’s best practices for security, IBM Cloud Object Storage provides our clients with the ability to securely store large volumes of unstructured data in a cost-effective way. Here are some of the security features included in the offering:
Secure to the Core
IBM Cloud Object Storage uses SecureSlice™ technology that combines Information Dispersal Algorithm (IDA) and an All-or-Nothing Transform (AONT) to ensure data confidentiality, integrity, and availability. With SecureSlice™, data slices are distributed across multiple geographic locations (or devices within a single data center), are always encrypted, and no full copy of data exists on any individual storage node.
By default, all objects stored on IBM Cloud Object Storage are encrypted at-rest using randomly generated keys and an all-or-nothing transform. IBM Cloud Object Storage provides the flexibility to encrypt individual objects with customer provided root encryption keys (referred to as Server-Side Encryption with Customer Provided Keys or SSE-C).
Clients requiring granular control and management of Data Encryption Keys (DEKs) can bring their own root keys to the IBM Cloud and use them to encrypt the DEKs that are generated with IBM Cloud Object Storage. This can be accomplished by leveraging integration of IBM Cloud Object Storage with IBM Key Protect. With Key Protect, clients can create, add, and manage root keys, which can be associated with an instance of IBM Cloud Object Storage when creating buckets (referred to as Server-Side Encryption with IBM Key Protect or SSE-KP).
Please review the product documentation page for additional details on how to set up and leverage IBM Key Protect with IBM Cloud Object Storage buckets.
Using a firewall to restrict access to Cloud Object Storage buckets
IBM Cloud Object Storage provides the ability to restrict access to buckets by using a bucket-level firewall that will only allow access if the request originates from a trusted network. Access can be restricted to a specific IP address within your network. Read more about this feature in the "Setting a firewall" section on our product page.
Integration with IBM Cloud Identity and Access Management (IAM)
To control the level of access provided across various resources within IBM Cloud, clients can leverage IBM Cloud Identity and Access Management (IAM). IAM access policies are used to assign users and service IDs access to the resources within your IBM Cloud catalog. Users and service IDs can also be grouped together into an access group to make it easier to control the level of access provided.
IAM access policies and credentials management can also be used to control access to the individual IBM Cloud Object Storage buckets which are used to create logical segregation of objects stored. Bucket-level permissions can be set via UI or API to grant specific access roles to certain users.
You can also find out information and steps on how to use IAM with IBM Cloud Object Storage on our getting started with IAM product page.
Get started with IBM Cloud Object Storage
The aforementioned features of IBM Cloud Object Storage and integrations with other IBM Cloud services provide a high-level view of built-in security features and options available to our clients. Depending on the use case(s), clients are able to leverage a combination of the features outlined and set appropriate access policies and restrictions to govern the use and sharing of data within their organizations.
With the various industry compliance certifications and the underlying security features, IBM Cloud Object Storage provides our clients with a secure, cost-effective, and simple option to satisfy data storage requirements.
Additional information on the offering and details around the features is available from our product page.
For more information on object storage technology, see "Object Storage: A Complete Guide."