Data security

In Cloud Pak for Data as a Service, data security mechanisms, such as encryption, protect sensitive customer and corporate data, both in transit and at rest. A secure , and other mechanisms protect your valuable corporate data. A secure IBM Cloud Object Storage instance stores data assets from projects, catalogs, and deployment spaces.

Table 1. Data security mechanisms for Cloud Pak for Data as a Service
Mechanism Purpose Responsibility Configured on
Configuring Cloud Object Storage IBM Cloud Object Storage is required to store assets Customer IBM Cloud
Controlling access with service credentials Authorize a Cloud Object Storage instance for a specific project Customer IBM Cloud and Cloud Pak for Data as a Service
Encrypting at rest data Default encryption is provided. Use IBM Key Protect to manage your own keys. Shared IBM Cloud
Encrypting in motion data Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion. IBM, Third-party clouds IBM Cloud, Cloud providers
Masking data with data protection rules Protect and mask sensitive data with data protection rules. Customer Cloud Pak for Data as a Service
Backups Use IBM Cloud Backup to manage backups for your data. Shared IBM Cloud

Configuring Cloud Object Storage

IBM Cloud Object Storage provides storage for projects, catalogs, and deployment spaces. You are required to associate an IBM Cloud Object Storage instance when you create projects, catalogs, or deployment spaces to store files for assets, such as uploaded data files or notebook files. The Lite plan instance is free to use for storage capacity up to 25 GB per month.

You can also access data sources in an IBM Cloud Object Storage instance. To access data IBM Cloud Object Storage, you create an IBM Cloud Object Storage connection when you want to connect to data stored in IBM Cloud Object Storage. An IBM Cloud Object Storage connection has a different purpose from the IBM Cloud Object Storage instance that you associate with a project, deployment space, or catalog.

The IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to IBM Cloud Object Storage. See IBM Cloud docs: Getting started with IAM for instructions on setting up access control for Cloud Object Storage on IBM Cloud.

See IBM Cloud docs: Getting started with IBM Cloud Object Storage

Controlling access with service credentials

Cloud Object Storage credentials consist of a service credential and a Service ID. Policies are assigned to Service IDs to control access. The credentials are used to create a secure connection to the Cloud Object Storage instance, with access control as determined by the policy.

For more information, see Controlling access to Cloud Object Storage buckets

Encrypting at rest data

By default, at rest data is encrypted with randomly generated keys that are managed by IBM. If the default keys are sufficient protection for your data, no additional action is needed. To provide extra protection for at rest data, you can create and manage your own keys with IBM® Key Protect for IBM Cloud™. Key Protect is a full-service encryption solution that allows data to be secured and stored in IBM Cloud Object Storage.

To encrypt your Cloud Object Storage instance with your own key, create an instance of the IBM Key Project service from the IBM Cloud catalog. Not all watsonx.ai Studio and IBM Knowledge Catalog plans support customer-generated encryption keys.

Encrypting in motion data

Data is encrypted when transmitted by IBM on any public networks and within the Cloud Service's private data center network. Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion.

Data protection rules

You can mask sensitive data by using data protection rules. See the following topics:

Backups

To avoid loss of important data, create and properly store backups. You can use IBM Cloud Backup to securely back up your data between IBM Cloud servers in one or more IBM Cloud data centers. See IBM Cloud docs: Getting started with IBM Cloud Backup

Learn More For more information, see IBM Cloud docs: Getting started with Security and Compliance Center.

Parent topic: Security