Data security

Configuring Cloud Object Storage

IBM Cloud Object Storage provides storage for projects, catalogs, and deployment spaces. You are required to associate an IBM Cloud Object Storage instance when you create projects, catalogs, or deployment spaces to store files for assets, such as uploaded data files or notebook files. The Standard plan has a choice of storage classes, including a Free Tier, which allows 5 GB of usage for 12 months.

You can also access data sources in an IBM Cloud Object Storage instance. To access data IBM Cloud Object Storage, you create an IBM Cloud Object Storage connection when you want to connect to data stored in IBM Cloud Object Storage. An IBM Cloud Object Storage connection has a different purpose from the IBM Cloud Object Storage instance that you associate with a project, deployment space, or catalog.

The IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to IBM Cloud Object Storage. See IBM Cloud docs: Getting started with IAM for instructions on setting up access control for Cloud Object Storage on IBM Cloud.

See IBM Cloud docs: Getting started with IBM Cloud Object Storage

Controlling access with service credentials

Cloud Object Storage credentials consist of a service credential and a Service ID. Policies are assigned to Service IDs to control access. The credentials are used to create a secure connection to the Cloud Object Storage instance, with access control as determined by the policy.

For more information, see Controlling access to Cloud Object Storage buckets

Encrypting at rest data

By default, at rest data (data that is stored) is encrypted with randomly generated keys that are managed by IBM. If the default keys are sufficient protection for your data, no additional action is needed.

To provide extra protection for at rest data, you can create and manage your own keys with the IBM Key Protect service. Key Protect is a full-service encryption solution that allows data to be secured and stored in IBM Cloud.

Use the following high-level steps to create custom encryption keys in IBM Cloud:

1. Create an instance of the IBM Key Protect service from the IBM Cloud catalog.
2. Grant a service authorization between Key Protect and your IBM Cloud service.
3. Create a root key for the Key Protect instance.
4. Optional: Wrap your root key to create a custom data encryption key (DEK).

For details on how to encrypt your data in IBM Cloud services by using Key Protect, see "How to" section in the Key Protect product guide in the IBM Cloud documentation.

For instructions on encrypting your Cloud Object Storage instance with your own key, see Setting up IBM Cloud Object Storage for use with IBM watsonx

For an overview of different ways to secure data with custom keys, see Encrypting data with your own keys in the IBM Cloud documentation.

Encrypting in motion data

Data is encrypted when transmitted by IBM on any public networks and within the Cloud Service's private data center network. Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion.

See IBM Cloud docs: How do I know that my data is safe?.

Backups

To avoid loss of important data, create and properly store backups. You can use IBM Cloud Backup to securely back up your data between IBM Cloud servers in one or more IBM Cloud data centers. See IBM Cloud docs: Getting started with IBM Cloud Backup

Learn More

• For an overview of how encryption works in the IBM Cloud Security Architecture, see Data security architecture.
• For more information, see IBM Cloud docs: Getting started with Security and Compliance Center.