Announcements
Cloud
February 14, 2023 By jason-mcalpin 5 min read

Expand to hybrid cloud, encrypt your data and manage your encryption keys.

Data is the currency of the 21st century. Bringing data and processes from legacy systems to the cloud requires that data at rest, data in transit and data in use are handled consistently with prevailing data security guidelines. It’s no surprise that organizations often mention security and data protection as the most significant barriers to moving sensitive applications and data to the public cloud. The adoption of cloud-based encryption software solutions is expected to grow, considering cloud technology’s ease of data maintenance, cost-effectiveness, scalability and streamlined data management.

Though cloud-ready architectures have several benefits in terms of simplicity and support for microservices, customers may still have concerns about data being mishandled by the cloud service provider. Organizations often want to not only encrypt their data in the cloud with their own keys, but also administer and control the encryption keys.

Organizations can use IBM Power Systems Virtual Server to expand their on-premises servers to modern-day hybrid cloud infrastructures, helping them to smoothly move and manage their workloads across cloud and on-premises environments. For cloud data encryption and multicloud key management, an organization can leverage IBM Hyper Protect Crypto Services to manage access to its data.

We are pleased to announce the availability of IBM Hyper Protect Crypto Services for AIX and Linux on IBM Power Systems Virtual Server.

What is Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a 3-in-1 solution, designed to give enterprises the following:

  1. A single-tenant, hybrid cloud key management service.
  2. Hardware Security Module (HSM) in the cloud.
  3. Multicloud key orchestration with Unified Key Orchestrator, a part of Hyper Protect Crypto Services.

IBM Hyper Protect Crypto Services allows customers to control their cloud data encryption keys (DEKs) and Cloud Hardware Security Module (HSM). Built on LinuxONE technology, the service runs on a secured enclave, which helps ensure that no one (including cloud administrators) can access another user’s keys.

Hyper Protect Crypto Services can provide both key management and encryption application programming interfaces (APIs) to help manage access to data and the lifecycle of encryption keys. By providing both of these important features, Hyper Protect Crypto Services is designed to offer extra layers of protection compared to solutions that offer only one of them.

You can integrate Hyper Protect Crypto Services with Power Virtual Server to securely store and protect encryption key information for AIX and Linux. This integration can be leveraged for encryption of AIX file systems and to help protect Linux Unified Key Setup (LUKS) encryption keys from being compromised. Hyper Protect Crypto Services acts as the single point of control to enable or disable access to data across the enterprise. Hyper Protect Crypto Services does this by successively wrapping encryption keys, with the ultimate control being a master key that resides in a hardware security module (HSM).

Distinguishing features

The distinguishing features and potential benefits of Hyper Protect Crypto Services on IBM Power Systems Virtual Server include the following:

  • Key control: Hyper Protect Crypto Services enables organizations to retain control of their data encryption keys. In contrast to Bring Your Own Key (BYOK) (which is more common in the industry), this capability is referred to as Keep Your Own Key (KYOK). BYOK requires that users trust another entity to handle their keys when bringing them to the cloud. KYOK, on the other hand, allows users to maintain control of their keys. Instead of handing the keys over to a program that stores the keys, an organization integrates the keys directly to the HSM. In this way, a user can keep their own keys within a dedicated customer-controlled module that the cloud service provider has no access to.
  • Security certification: Hyper Protect Crypto Services has data security procedures in place to help enterprises meet their security and compliance needs and protect their data in the cloud. Hyper Protect Crypto Services provides a dedicated hardware security module (HSM) to safeguard and manage cryptographic keys. Built on FIPS 140-2 Level 4 HSMs, Hyper Protect Crypto Services offers security for cloud-based HSMs and stores cryptographic key material without exposing keys outside of a cryptographic boundary.
  • Multicloud key management: Hyper Protect Crypto Services with Unified Key Orchestrator extends protection across cloud deployments. Organizations can manage keys for their internal keystores and across multiple cloud providers, including Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform. Their keys are protected by their own master key, which is stored in a hardware security module (HSM). You can manage the lifecycles of your keys from a single point of control, while the system keeps keys that are distributed in sync.
  • Integration with IBM Cloud Services: Organizations can integrate IBM Cloud services with Hyper Protect Crypto Services to build solutions to bring and manage their own encryption in the cloud. When they integrate a supported service with Hyper Protect Crypto Services, they enable envelope encryption for that service. With this integration, they can use a root key that they store in Hyper Protect Crypto Services to wrap the data encryption keys that encrypt their data at rest. For example, they can create a root key, manage the key in Hyper Protect Crypto Services and use the root key to protect the data that is stored across different cloud services.

Built on the ‘Keep Your Own Key’ technology, Unified Key Orchestrator helps enterprises manage their data encryption keys across multiple key stores and across multiple clouds environments, including keys managed on-premises or on IBM Cloud, AWS and Microsoft Azure.

Start reaping the benefits

Many firms have now embraced a multicloud strategy, hosting workloads in a more cost-effective location, whether that be a public cloud or the organization’s own data center. However, in this case, safeguarding your data using encryption requires managing keys in silos on-premises and across various clouds, which may make it difficult to demonstrate compliance efforts, establish the correct security posture and preserve data governance and sovereignty. Managing keys across a hybrid cloud environment can be expensive and involves extensive security knowledge, and shifting workloads necessitates security teams learning different cloud key lifecycle management platforms.

Unified Key Orchestrator provides enterprises with a single control plane for all their encryption keys. The keys themselves are protected by the customer’s own master key on the service’s HSM. Hyper Protect Crypto Services with Unified Key Orchestrator enables transfer of keys to internal and external keystores used by customer-accessible services like Microsoft’s Azure Key Vault, Google Cloud Platform and AWS KMS. The service functions as a central hub for backing up an organization’s keys and can quickly redistribute keys to recover from errors resulting from lost keys.

IBM Power Systems Virtual Server with Hyper Protect Crypto Services is now available in 15 data centers across the globe. You can integrate Hyper Protect Crypto Services with Power Systems Virtual Server instances to securely store and protect encryption key information for AIX and Linux. Please refer to the product guide for additional information. Contact IBM today to get started with IBM Power Systems Virtual Server with Hyper Protect Crypto Services.

Collaboration at work

To help meet clients’ needs for encryption on CLAI Payments Technologies’ financial application (which runs on IBM i in PowerVS), IBM collaborated with First National Technology Solutions (FNTS) to build an encryption service tile for the IBM Cloud Catalog. FNTS provides encryption services for IBM i on PowerVS via this tile, and the tile allows clients running CLAI applications on PowerVS to add encryption services to these applications and operate CLAI applications on PowerVS with the same security level as on-premises.

IBM has also collaborated with FalconStor Software to bring enterprise-class data protection, disaster recovery, ransomware protection and cloud migration to IBM Power workloads. The Virtual Tape Library solution is designed to enable hybrid backup to the cloud and on-premises clients to easily migrate IBM i, AIX and Linux workloads to PowerVS. With its integrated deduplication, the solution removes redundant copies of data, thereby reducing capacity requirements and minimizing replication time. Please see Virtual Tape Library for Power and Virtual Tape Library for PowerVS to get started with this solution.

Our collaboration with FNTS, CLAI Payment Technologies and FalconStor Software exemplifies our commitment to meet our clients’ needs and create a more robust offering. Let’s work together to see how IBM Power Systems Virtual Server can help drive success for your business.

jason-mcalpin

More from Announcements
July 2, 2024

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

June 24, 2024

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

June 21, 2024

Unify and share data across Netezza and watsonx.data for new generative AI applications

3 min read - In today's data and AI-driven world, organizations are generating vast amounts of data from various sources. The ability to extract value from AI initiatives relies heavily on the availability and quality of an enterprise's underlying data. In order to unlock the full potential of data for AI, organizations must be able to effectively navigate their complex IT landscapes across the hybrid cloud.   At this year’s IBM Think conference in Boston, we announced the new capabilities of IBM watsonx.data, an open…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters