Announcements
Cloud
Security
February 17, 2021 By Janet Van
Crystal Barragan
Shawna Guilianelli
Ashwini Padubidri Chandrase
Sudheesh Kairali
Jagdish Kumar
4 min read

We’re taking another step forward in our mission to help you achieve continuous security and compliance by giving you the option to manage your own data encryption. 

Organizations in many industries — such as financial institutions — are required to meet policies and controls that ensure that they are abiding by regulatory compliance obligations. These highly regulated institutions, along with the providers that service them, require a secure framework that helps to validate the standards that they must meet, such as data security controls. Complete control of data — including the encryption and security of it — is a key requirement for organizations that run sensitive workloads and applications in the cloud. With the Security and Compliance Center, not only can you validate that your workload and application data is managed correctly, but you can also own and manage the encryption for the data that is generated by the service. 

What kind of data is generated by the service?

When you work with the Security and Compliance Center, you have the option to own encryption for the data that is generated by either Security Insights or compliance scans that are run on your resources. However, customer-managed encryption for Configuration Governance is not available at this time. 

Compliance scans

Compliance scans are run on your resources to help determine your adherence to the internal and external regulations that you must meet for your industry:

  1. To run compliance scans, you must first create and install a collector that has access to your resources.
  2. Next, you complete your set-up steps, such as determining whether to own your encryption, creating a scan by targeting a specific area of your organization, providing credentials and choosing which goals you’d like to validate your resources against.
  3. When it’s time, the Security and Compliance Center tells the collector to start scanning your resources.
  4. The scan is run and the results are returned through the collector.
  5. The collector forwards the results to a database, where they are stored for 30 days.
  6. Your results are analyzed to determine your current posture and then displayed as a summary in a dashboard.
  7. If you need to keep your results for longer, you can always download your results and store them in an IBM Cloud Object Storage bucket that you own and manage.

How does encryption work by default?

Security and Compliance Center uses a process called envelope encryption to implement IBM or customer-managed encryption keys. By default, the encryption keys that secure your data are generated on your behalf through Key Protect and managed by IBM. If you want to take advantage of Bring Your Own Key (BYOK) or Keep Your Own Key (KYOK) capabilities, you can manage your own encryption through one of the integrated key management services.

How can I enable my own encryption?

Depending on your use case and security requirements, the key management service that is most suited for your organization’s needs can vary. For a more detailed comparison of the services, see “How is Hyper Protect Crypto Services different from Key Protect?

  • IBM Key Protect for IBM Cloud: Key Protect helps you provision encrypted keys for your applications and IBM Cloud services. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against the theft of information. With the service, you can wrap your data encryption keys with a highly secure root key that you can either bring yourself or generate through the service.
  • IBM Cloud Hyper Protect Crypto Services: Hyper Protect Crypto Services is a dedicated key management service and HSM that provides you with the Keep Your Own Key capability for cloud data encryption. Built on FIPS 140-2 Level 4 certified hardware, Hyper Protect Crypto Services allows you to have exclusive control of your encryption keys. In addition to the BYOK capabilities, KYOK provides technical assurance that IBM cannot access the customer keys. With KYOK, you have exclusive control of the entire key hierarchy including the master key.

How can I get started?

If you’re already using the Security and Compliance Center to monitor your current posture, you can enable your own encryption in the Data Settings tab of the service UI. But, before you do, be sure that you have the correct IAM policies in place:

New to the Security and Compliance Center? Try walking through our step-by-step tutorial to get started. Or, to learn more about how to manage encryption settings for your Security and Compliance Center data, see “Enabling customer-managed keys.”

Feedback

In order to ensure that we are helping you to deliver on your own mission, we’d like to hear from you with any feedback that you might have. To share your questions, comments, raves or concerns with us, use the Feedback button that can be found on any page of cloud.ibm.com.

Janet Van
Product Manager, Cloud Security and Compliance
Crystal Barragan
Technical Writer, Cloud Security Services
Shawna Guilianelli
Content Lead and Strategist
Ashwini Padubidri Chandrase
Cloud Security UI Development Lead
Sudheesh Kairali
Security and Compliance Center, Development Lead
Jagdish Kumar
Security and Compliance Center, Developer

More from Announcements
July 2, 2024

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

June 24, 2024

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

June 21, 2024

Unify and share data across Netezza and watsonx.data for new generative AI applications

3 min read - In today's data and AI-driven world, organizations are generating vast amounts of data from various sources. The ability to extract value from AI initiatives relies heavily on the availability and quality of an enterprise's underlying data. In order to unlock the full potential of data for AI, organizations must be able to effectively navigate their complex IT landscapes across the hybrid cloud.   At this year’s IBM Think conference in Boston, we announced the new capabilities of IBM watsonx.data, an open…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters