Home

Confidential Computing

Confidential computing with IBM

Protect your data at rest, in transit and in use with the broadest selection of data security and encryption technologies from IBM Z, IBM LinuxONE, and Intel® Xeon® on IBM Cloud.

Explore the solution guide

Confidential Computing with IBM includes a range of services from the Hyper Protect Services and Intel® Xeon®-based IBM Cloud portfolios spanning containers, key management services, and high-performance computing (HPC) to help ensure data confidentiality and code integrity. 

Protect data across the entire compute lifecycle

For years, cloud providers have offered encryption services to help protect data at rest and data in transit, but not data in use. Confidential computing protects data during processing by performing computation in a hardware-based, trusted execution environment (TEE), which eliminates the remaining data security vulnerability.

Hyper Protect Services leverage IBM Secure Execution for Linux technology, part of the hardware of IBM z15 and IBM LinuxONE III generation systems, to protect the entire compute lifecycle. With Hyper Protect confidential computing as-a-service solutions, you gain a higher level of privacy assurance with complete authority over your data at rest, in transit, and in use – all with an integrated developer experience. You can run your most valuable applications and data in IBM’s isolated enclaves or trusted execution environments with exclusive encryption key control - Even IBM cannot access your data.

Intel® Xeon®-based IBM Cloud Bare Metal and Virtual Servers with Intel® SGX® help protect data in use via application isolation technology. By protecting selected code and data from modification, developers can partition their application into hardened enclaves or trusted execution modules to help increase application security. All Intel® SGX® confidential computing on IBM Cloud runs on 4th Gen Intel® Xeon® processors, the newest generation of HPC microarchitecture with built-in Intel® Accelerator Engines, improved power efficiency, DDR5 memory and PCIe 5 support. 

Confidential Containers with IBM Secure Execution for Linux
IBM Cloud expands confidential computing portfolio with Intel® SGX®. IBM Secure Execution for Linux support for Crypto Express adapters Understanding DORA and the role of confidential computing
Why IBM for confidential computing Secure every journey to hybrid cloud

Address your security concerns when you move mission-critical workloads to hybrid cloud through a variety of as-a-service solutions based on IBM Z and LinuxONE or x86 hardware technology. You have exclusive control over your encryption keys, data, and applications to meet data sovereignty requirements. 

Hyperscale and protect in all states

Quickly scale out and maintain maximum resiliency while protecting your workloads at-rest, in-transit, and now in use inside the logically isolated IBM Cloud VPC network. Choose from a variety of virtual server profile sizes and pay-as-you- use options needed to protect your applications. 

Provide smaller isolation granularity

Provide container runtime isolation with technical assurance and zero trust powered by IBM Secure Execution for Linux technology on select solutions. This ensures that unauthorized users, including IBM Cloud infrastructure admins, can’t access your data and applications, thus mitigating both external and internal threats.

Keep data and code confidential

Implement policy enforcement with encrypted contracts or secure enclaves at the moment of deployment to make sure that your data and code is not altered at any time. Provide remote attestation service without any need to trust other key management services or external third parties beyond certificate authorities.

Products and services
Hyper Protect Services based on IBM Secure Execution for Linux (SEL)

Implement policy enforcement with encrypted contracts and provide a higher level of container-based isolation.

IBM Cloud with Intel® SGX®

Protect your selected code or data and provides application-based isolation.

Industries
Healthcare

Protect sensitive data such as patient health information and payment records. Aid disease diagnostic and drug development with AI solutions while ensuring data privacy.

Financial services

Secure payment processing, protect sensitive financial information, prevent fraud, and ensure regulatory compliance. Create a trusted platform for digital assets, non-fungible tokens (NFTs), and policy enforcement.

Retail

Ensure regulatory compliance on customer data aggregation and analysis. Make it possible to share data for multi-party collaboration to prevent retail crime while keeping data from each party private.

Public sector

Facilitate digital transformation involving critical personal data such as identification numbers and biometrics. Improve service reliability and resilience to defend advanced cyber attacks on public infrastructures.

Manufacturing

Protect Intellectual Properties (IPs) during the manufacturing process. Ensure the data and technologies are protected along the supply chain at every stage to avoid data leaks and unauthorized access.

Software and platform applications

Enable providers to offer cloud-native solutions for customers with mission-critical data or regulatory requirements. Ensure clients' data remain inaccessible not only by the service provider but also by the underlying cloud infrastructure.

Resources
Redbook IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment

Shows more details about the Hyper Protect Platform: the underlying technology and how the services support your hybrid cloud strategy.

View Redbook
Whitepaper The Second Generation of IBM Hyper Protect Platform

Unveils the secrets of the latest IBM Hyper Protect Platform: how the new generation of services use the industry-leading technology to achieve confidential computing.

Download the whitepaper
Video

Introduces how you can leverage confidential computing to solve your business challenges and achieve unparalleled security.

Whitepaper Data Sovereignty with IBM Hyper Protect Services

Learn more about how IBM Hyper Protect Services protect your data with a special focus on key management.

Download the whitepaper
Learn hub What is confidential computing?

Introduces the basics of confidential computing, how it works, and why it is so important.

Learn more
IBM Cloud Docs IBM Cloud Virtual Servers for VPC: Creating a virtual server with Intel® SGX®

Learn more about Intel® SGX® capabilities inside IBM Cloud Virtual Servers for VPC, including step-by-step instructions for enabling a confidential computing profile, secure boot, and attestation.

View docs
IBM Cloud Docs IBM Cloud Bare Metal Servers (classic)

Provisioning a bare metal server with Intel® SGX®.

View docs
Video

Introduces the latest high-performance compute microarchitecture behind confidential computing with Intel® SGX® on IBM Cloud servers.

Blog Red Hat OpenShift Container Platform with Confidential Containers leveraging IBM Secure Execution for Linux

Red Hat OpenShift Container Platform provides a common deployment, control and management environment for workloads across a diverse set of infrastructures that underpin a hybrid cloud.

Read the blog

Frequently asked questions

Confidential computing on IBM explained

What is the Hyper Protect Platform?

IBM Hyper Protect Platform is a suite of services designed to provide a highly secure environment for mission-critical data and applications in hybrid cloud deployments, leveraging confidential computing capabilities on IBM Z or LinuxONE. For more details, see the Redbook: IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment

What is Confidential Computing, and how does it relate to the Hyper Protect Platform?

Confidential Computing refers to the protection of data in use by performing computation in an attested, hardware-based Trusted Execution Environment (TEE), ensuring data is encrypted and isolated during processing. IBM Hyper Protect Platform utilize this concept to protect mission-critical workloads and sensitive data. 

What is the difference between Operational Assurance and Technical Assurance?

Operational assurance ensures that the operations conducted by service providers and others are compliant and do not intentionally or unintentionally compromise security. This is based on operational measures - which are breakable resulting in the need to trust.

Technical assurance ensures that the security features are ingrained in the technology, and it is technically impossible for unauthorized access or changes to occur. This ensures that data is secured at all times, without the need to trust any person or organization to not exploit privileged access in the case of internal or external attacks. 

What kind of technology underlies the Hyper Protect Platform to enhance security?

The Hyper Protect Platform leverages IBM Secure Execution for Linux technology that includes hardware and firmware features such as memory encryption, encrypted contracts, and an Ultravisor to create isolated, secure environments for workloads. 

What are the benefits of IBM Cloud Virtual Servers for VPC?

IBM Cloud Virtual Servers for VPC deliver hyperscale compute capacity with the highest network speeds and most secure, software-defined networking resources available on the IBM Cloud. Built on IBM Cloud Virtual Private Cloud (VPC) and featuring powerful, 4th Gen Intel® Xeon® processors, this developer-friendly infrastructure helps drive modern workloads faster and easier with pre-set instance profiles, rapid deployment and private network control in an agile public cloud environment. Choose multi-tenant or dedicated, add GPUs, and pay-as-you-use with monthly billing, or reserve your capacity in advance for reduced costs.

What is Intel® SGX® ?

Intel® Software Guard Extensions (SGX) protects your data through hardware-based server security by using isolated memory regions that are known as encrypted enclaves. This hardware-based computation helps protect your data from disclosure or modification. Which means that your sensitive data is encrypted while it is in virtual server instance memory by allowing applications to run in private memory space. To use Intel® SGX®, you must install the Intel® SGX® drivers and platform software on Intel® SGX®-capable worker nodes. Then, design your app to run in an Intel® SGX® environment.

Take the next step

Contact us on how to protect your mission-critical workloads with IBM confidential computing.