Confidential Computing with IBM includes a range of services from the Hyper Protect Services and Intel® Xeon®-based IBM Cloud portfolios spanning containers, key management services, and high-performance computing (HPC) to help ensure data confidentiality and code integrity.
For years, cloud providers have offered encryption services to help protect data at rest and data in transit, but not data in use. Confidential computing protects data during processing by performing computation in a hardware-based, trusted execution environment (TEE), which eliminates the remaining data security vulnerability.
Hyper Protect Services leverage IBM Secure Execution for Linux technology, part of the hardware of IBM z15 and IBM LinuxONE III generation systems, to protect the entire compute lifecycle. With Hyper Protect confidential computing as-a-service solutions, you gain a higher level of privacy assurance with complete authority over your data at rest, in transit, and in use – all with an integrated developer experience. You can run your most valuable applications and data in IBM’s isolated enclaves or trusted execution environments with exclusive encryption key control - Even IBM cannot access your data.
Intel® Xeon®-based IBM Cloud Bare Metal and Virtual Servers with Intel® SGX® help protect data in use via application isolation technology. By protecting selected code and data from modification, developers can partition their application into hardened enclaves or trusted execution modules to help increase application security. All Intel® SGX® confidential computing on IBM Cloud runs on 4th Gen Intel® Xeon® processors, the newest generation of HPC microarchitecture with built-in Intel® Accelerator Engines, improved power efficiency, DDR5 memory and PCIe 5 support.
IBM Cloud with Intel® SGX® featuring 4th Gen Intel Xeon scalable processors
IBM Secure Execution for Linux support for Crypto Express adapters
Understanding DORA and the role of confidential computing
Red Hat OpenShift Container Platform with Confidential Containers leveraging IBM Secure Execution for Linux
Address your security concerns when you move mission-critical workloads to hybrid cloud through a variety of as-a-service solutions based on IBM Z and LinuxONE or x86 hardware technology. You have exclusive control over your encryption keys, data, and applications to meet data sovereignty requirements.
Quickly scale out and maintain maximum resiliency while protecting your workloads at-rest, in-transit, and now in use inside the logically isolated IBM Cloud VPC network. Choose from a variety of virtual server profile sizes and pay-as-you- use options needed to protect your applications.
Provide container runtime isolation with technical assurance and zero trust powered by IBM Secure Execution for Linux technology on select solutions. This ensures that unauthorized users, including IBM Cloud infrastructure admins, can’t access your data and applications, thus mitigating both external and internal threats.
Implement policy enforcement with encrypted contracts or secure enclaves at the moment of deployment to make sure that your data and code is not altered at any time. Provide remote attestation service without any need to trust other key management services or external third parties beyond certificate authorities.
Gain complete authority over Linux- based virtual servers with auditable deployment of trustworthy container images in a tamper-proof environment.
Take exclusive control of encryption keys in a single-tenant multicloud key management service with a customer-controlled FIPS 140-2 level 4 certified hardware security module (HSM).
Securely build, deploy, and manage mission-critical applications for hybrid cloud implementations on IBM LinuxONE and IBM Z, while data-in-use stays protected.
Help deploy cold storage solutions for Digital Assets, which turns the entire digital asset transaction signing process from a manual operation to a completely automated and policy-driven one.
Help increase application security and protect selected code and data from modification with Intel® SGX® on hyper-scalable virtual servers inside IBM Cloud VPC – a private network in the public cloud.
Help protect data in use with unique application isolation technology from Intel® SGX® on single-tenant, dedicated cloud servers backed by powerful 4th Gen Intel® Xeon® processors.
Hyper Protect Services implement policy enforcement with encrypted contracts and provide a higher level of container-based isolation, while Intel® SGX® protects your selected code or data and provides application-based isolation.
These are examples of how to leverage the unique features of Hyper Protect Services for your use cases. Hyper Protect Services are based on IBM Secure Execution and not available with Intel SGX.
Leverages AI and Hyper Protect Services to help healthcare facilities solve complex problems while keeping patients’ data safe.
Leverages Hyper Protect Services to secure a decentralized financial information platform and enable protection and privacy of data infrastructure.
Uses Hyper Protect Virtual Servers to build secure applications for self-custody wallets.
Partners with IBM confidential computing to deliver solutions with unprecedented security and drive digital transformation for future generations.
Uses Hyper Protect Services for its digital asset orchestration system to support its financial clients hybrid cloud adoption with increased security and scalability.
Partners with the IBM Hyper Protect Platform to protect the integrity of Jamworks' AI as well as the confidentiality of an individual's data.
Protect sensitive data such as patient health information and payment records. Aid disease diagnostic and drug development with AI solutions while ensuring data privacy.
Secure payment processing, protect sensitive financial information, prevent fraud, and ensure regulatory compliance. Create a trusted platform for digital assets, non-fungible tokens (NFTs), and policy enforcement.
Ensure regulatory compliance on customer data aggregation and analysis. Make it possible to share data for multi-party collaboration to prevent retail crime while keeping data from each party private.
Facilitate digital transformation involving critical personal data such as identification numbers and biometrics. Improve service reliability and resilience to defend advanced cyber attacks on public infrastructures.
Protect Intellectual Properties (IPs) during the manufacturing process. Ensure the data and technologies are protected along the supply chain at every stage to avoid data leaks and unauthorized access.
Enable providers to offer cloud-native solutions for customers with mission-critical data or regulatory requirements. Ensure clients' data remain inaccessible not only by the service provider but also by the underlying cloud infrastructure.
Shows more details about the Hyper Protect Platform: the underlying technology and how the services support your hybrid cloud strategy.
Unveils the secrets of the latest IBM Hyper Protect Platform: how the new generation of services use the industry-leading technology to achieve confidential computing.
Introduces how you can leverage confidential computing to solve your business challenges and achieve unparalleled security.
Learn more about how IBM Hyper Protect Services protect your data with a special focus on key management.
Introduces the basics of confidential computing, how it works, and why it is so important.
Learn more about Intel® SGX® capabilities inside IBM Cloud Virtual Servers for VPC, including step-by-step instructions for enabling a confidential computing profile, secure boot, and attestation.
Provisioning a bare metal server with Intel® SGX®.
Introduces the latest high-performance compute microarchitecture behind confidential computing with Intel® SGX® on IBM Cloud servers.
Confidential computing on IBM explained
IBM Hyper Protect Platform is a suite of services designed to provide a highly secure environment for mission-critical data and applications in hybrid cloud deployments, leveraging confidential computing capabilities on IBM Z or LinuxONE. For more details, see the Redbook: IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment.
Confidential Computing refers to the protection of data in use by performing computation in an attested, hardware-based Trusted Execution Environment (TEE), ensuring data is encrypted and isolated during processing. IBM Hyper Protect Platform utilize this concept to protect mission-critical workloads and sensitive data.
Operational assurance ensures that the operations conducted by service providers and others are compliant and do not intentionally or unintentionally compromise security. This is based on operational measures - which are breakable resulting in the need to trust.
Technical assurance ensures that the security features are ingrained in the technology, and it is technically impossible for unauthorized access or changes to occur. This ensures that data is secured at all times, without the need to trust any person or organization to not exploit privileged access in the case of internal or external attacks.
The Hyper Protect Platform leverages IBM Secure Execution for Linux technology that includes hardware and firmware features such as memory encryption, encrypted contracts, and an Ultravisor to create isolated, secure environments for workloads.
IBM Cloud Virtual Servers for VPC deliver hyperscale compute capacity with the highest network speeds and most secure, software-defined networking resources available on the IBM Cloud. Built on IBM Cloud Virtual Private Cloud (VPC) and featuring powerful, 4th Gen Intel® Xeon® processors, this developer-friendly infrastructure helps drive modern workloads faster and easier with pre-set instance profiles, rapid deployment and private network control in an agile public cloud environment. Choose multi-tenant or dedicated, add GPUs, and pay-as-you-use with monthly billing, or reserve your capacity in advance for reduced costs.
Intel® Software Guard Extensions (SGX) protects your data through hardware-based server security by using isolated memory regions that are known as encrypted enclaves. This hardware-based computation helps protect your data from disclosure or modification. Which means that your sensitive data is encrypted while it is in virtual server instance memory by allowing applications to run in private memory space. To use Intel® SGX®, you must install the Intel® SGX® drivers and platform software on Intel® SGX®-capable worker nodes. Then, design your app to run in an Intel® SGX® environment.