Cybersecurity
July 31, 2023 By Nicolas Mäding
Louisa Muschal
Abhijit Mane
3 min read

IBM recently introduced new features for Hyper Protect Virtual Servers for Virtual Private Cloud (HPVS for VPC). Built to address the topmost security concerns, HPVS for VPC is designed to provide a confidential computing environment to protect data and applications within your Virtual Private Cloud.

Hyper Protect Virtual Servers provide technical assurance based on IBM Secure Execution for Linux so that workloads are protected in the cloud, including the prevention of access by unauthorized users. Technical assurance means that neither the system nor cloud administrator can access sensitive data or workloads, even if they wanted to. This is a key differentiator and is now further strengthened with the enhanced security and scalability features described below.

Bring your own key for data encryption

Data-at-rest encryption for the data volumes attached to the HPVS for VPC instance is currently enabled by a Linux Unified Key Setup (LUKS) passphrase derived from two seeds: one from the deployer and one from the workload personas. These are provided during deployment as part of the HPVS for VPC deployment contract.

With the integration of HPVS for VPC with IBM Cloud Hyper Protect Crypto Services (HPCS) key management service (KMS), encryption protection and data control are enhanced with the option to bring your own key managed by HPCS. The cloud user can gain full control of the data volumes because access to the encrypted data is only possible—even for the deployed workload—if the corresponding KMS confirms so on a regular basis.

With this additional capability, more complex zero-trust principles can be realized. This integration is achieved through an optional third seed, which is generated by HPCS and stored in a metadata partition of the data volume. This third seed is wrapped with the Customer Root Key (CRK), which always remains within the HPCS hardware security module. The LUKS passphrase for data volume encryption is generated by using these three seeds. Refer to this documentation for more details.

Deploying multiple Open Container Initiatives (OCI) containers in one enclave

The Hyper Protect Container Runtime (HPCR) previously supported only one container as described by docker compose. This may not be sufficient for workloads needing to deploy multiple microservices within a single secure enclave. HPCR now supports multiple containers where one or more container definitions can be specified via pod descriptors.

This enables an HPVS secure enclave to run multiple containers and supports the notion of a sidecar design pattern where a side container, providing supporting features, is deployed alongside the main application container. The play subsection of the HPCR workload contract can specify containers via pod descriptors in multiple ways such as plain YAML format or in the archive or templates subsection of the contract. The container images described by pod descriptors can be validated by RedHat Simple Signing. For more information, see play subsection.

Hyper Protect Secure Build

Hyper Protect Secure Build can be used to build trusted container images within a secure enclave provided by IBM Hyper Protect Virtual Servers. The secure build process is designed to allow developers to securely build and sign containerized workload images in a trusted environment and deploy into an HPVS secure enclave, preventing malicious code from entering production environments. The secure build enclave is highly isolated, and developers can communicate only via specific APIs while cloud administrators cannot access the contents of the container.

The secure build server cryptographically signs the image and provides a manifest (collection of materials used during the build) for audit purposes. Since the private signing keys always remain protected within the enclave, the signatures can be used to verify whether the image and manifest are indeed from the secure build server and not tampered with before production deployment. This ensures the end-to-end supply chain integrity is protected and the source of components used is documented and tamper-protected through the manifest file. For details, see Secure Build.

SUSE SLE BCI images for confidential computing on Hyper Protect Virtual Server

SUSE and IBM work together to deliver advanced technical capabilities for confidential computing. IBM Z® and IBM LinuxONE systems provide key hardware capabilities for a trusted execution environment while SUSE Linux Enterprise Server (SLES) on IBM Z and LinuxONE is designed to deliver performance, security, reliability and efficiency for mission-critical workloads on IBM Z and LinuxONE systems.

The SLE BCI registry (SUSE Linux Enterprise Base Container Images) is available at no charge and provides a large set of security-hardened and certified base container images. It is now possible to deploy containerized workloads built off SLE BCI onto Hyper Protect Virtual Servers and gain regular updates and support for the workload through SUSE and the SLE BCI ecosystem.

Get started with IBM Hyper Protect Virtual Server for VPC today

See how easy it is to deploy your own instance with a few clicks. You can directly start to secure your application (e.g., for financial transactions) with confidential computing. Log in to IBM Cloud to get started now, or visit our site to learn more about IBM Hyper Protect Virtual Server for VPC.

Nicolas Mäding
Product Manager for Hyper Protect Platform
Louisa Muschal
Product Manager, Hyper Protect Services - GTM
Abhijit Mane
Product Manager, LinuxONE Bare Metal

More from Cybersecurity
June 28, 2024

Authentication vs. authorization: What’s the difference?

6 min read - Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system. Authentication verifies a user’s identity. Authorization gives the user the right level of access to system resources.  The authentication process relies on credentials, such as passwords or fingerprint scans, that users present to prove they are who they claim to be.  The authorization process relies on user permissions that outline what each user can do within a particular resource or network. For example,…

June 24, 2024

Intesa Sanpaolo and IBM secure digital transactions with fully homomorphic encryption

6 min read - This blog was made possible thanks to contributions from Nicola Bertoli, Sandra Grazia Tedesco, Alessio Di Michelangeli, Omri Soceanu, Akram Bitar, Allon Adir, Salvatore Sollami and Liam Chambers. Intesa Sanpaolo is one of the most trusted and profitable European banks. It offers commercial banking, corporate investment banking, asset management and insurance services. It is the leading bank in Italy with approximately 12 million customers served through its digital and traditional channels. The Cybersecurity Lab of Intesa Sanpaolo (ISP) needed to…

June 20, 2024

What is AI risk management?

8 min read - AI risk management is the process of systematically identifying, mitigating and addressing the potential risks associated with AI technologies. It involves a combination of tools, practices and principles, with a particular emphasis on deploying formal AI risk management frameworks. Generally speaking, the goal of AI risk management is to minimize AI's potential negative impacts while maximizing its benefits. AI risk management and AI governance AI risk management is part of the broader field of AI governance. AI governance refers to…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters