Feature spotlights

Role-based access controls

Help support compliance requirements and keep your cloud-bound sensitive data secure. Role-based access controls allow an administrator to define a second layer of data access control policies that are based upon roles and job functions, including managing privileged access and escalation.

Distinct separation of duties

By default, Multi-Cloud Data Encryption creates two distinct roles – one for the Product Administrator and one for the Security Administrator – to keep roles separate.

Advanced cryptographic splitting technology

Cryptographic splitting technology helps assure sensitive data confidentiality, privacy, and protection against brute force attacks. IBM Multi-Cloud Data Encryption, with its SPxCore™ , combines FIPS-140-2 certified AES 256-bit encryption and cryptographic splitting.

Integrated, certified and KMIP-compatible key management

Using integrated and transparent built-in key management, all phases of the key lifecycle from key creation to deletion stay in your control. External key management is also supported with KMIP-certified key managers such as IBM's Security Key Lifecycle Manager.

Streamlined management console

The centralized management console provisions, deploys and manages encryption agents across the enterprise. Organizations can host the management console wherever they choose, including on-premises, allowing them to keep keys out of the cloud while managing data protection remotely.

File and volume-level encryption agents

Deploy agents that encrypt data at the volume or file level. The volume encryption agent is a virtual block device that once installed is mounted to look like an attached disk. The file encryption agent works at the file-level based upon fine-grained file or directory level policies.

Object store encryption agent with patented data splitting

Securely leverage on premises or cloud based S3 object storage with client-side encryption key and access control. The object store agent leverages cryptographic splitting to send shares of encrypted data to multiple object store locations or multiple CSPs for resiliency and recovery.

Data access log forwarding to leading SIEM solutions

Log all data access requests as “approved” or “denied” per defined user, group or process-based policy. The reliable event capture feature can be forwarded to event management systems, such as IBM’s QRadar SIEM, for analysis.

RESTful APIs for ease of integration, automation, and scale

Multi-Cloud Data Encryption functions are available via RESTful API so that automation can be easily applied. Large-scale deployments can be managed using the API and basic scripting.