Enterprise clients on a digital transformation journey are looking to move workloads to the public cloud. However, recent news reports of data breaches show why customers are still wary of moving sensitive data and associated workloads to the public cloud. Per a recent report by the Ponemon Institute (The Cost of a Data Breach Report – 2019), the average cost of a data breach is $3.92M! Customers, especially in regulated industries like the Financial Services Sector and Healthcare, mandate the use of their own cloud encryption keys and want to be assured no one has access to these keys. In many cases, this is also necessary to meet regulatory compliance requirements. To cater to this growing need, HyTrust and IBM are announcing the industry’s highest level of protection for data encryption keys through the integration of HyTrust DataControl Virtual Workload Protection Solution with IBM Cloud Hyper Protect Crypto Services (HPCS), a single-tenant, dedicated, customer-controlled cloud Hardware Security Module (HSM) service.
IBM Cloud Hyper Protect Crypto Services, is built on the industry’s first and only FIPS 140-2 Level 4 certified Hardware Security Module (IBM PCIe Crypto Card) available in the public cloud. The Level 4 certification provides industry-leading protection against tampering with the HSM. Level 4 requires physical security mechanisms and tamper response, when it detects various forms of environmental attacks (e.g. voltage or temperature fluctuations). If any threat is detected, keys stored in the device are automatically erased, thereby protecting critical virtual resources protected by these keys. Additionally, the service runs in IBM LinuxONE secure enclaves in the IBM Cloud, which provides technical assurance that no one including cloud admins have access to encryption keys at any point. The fully-managed HSM saves customers the time and effort of provisioning and maintaining the hardware, allows customers to easily add additional instances when they need to scale whether on-premises,in the cloud or in a hybrid cloud model.
HyTrust DataControl is a universal virtual workload protection solution that empowers VMware virtual admins to quickly and safely encrypt sensitive workloads on-premises and in the hybrid cloud. The integration between HyTrust DataControl and IBM Cloud Hyper Protect Crypto Services enables a level of encryption key protection never before possible. Encryption key lifecycle management operations (create, delete, store, and expiry) move from the key management server (KMS) to the HSM, ensuring that upon tampering with the HSM, the affected encryption keys are automatically destroyed, including downstream encryption keys. Critical virtual resources remain protected by DataControl and IBM Cloud Hyper Protect Crypto Services. HyTrust-enabled VMware customers can comfortably extend their environment into IBM Cloud easily while maintaining the security and control they have come to expect from HyTrust and IBM.
Customer benefits from HyTrust – Hyper Protect Crypto Services integration include:
- Complete workload lifecycle encryption management –from boot to decommissioning with complete control of encryption keys
- Support for Keep Your Own Key,i.e., maintain exclusive control of the encryption keys and full key hierarchy including the HSM Master Key
- Zero-downtime VMware workload encryption and rekeying, encryption travels with VM
- Data encryption and controls on privileged access which reduce risk of data compromise and help meet regulatory compliance
- Flexibility for extending encryption operations to the cloud in a hybrid model.
- Allow existing HyTrust customers to feel comfortable moving sensitive workloads to the IBM Cloud
As part of a long-standing partnership between IBM Cloud and HyTrust, this current collaboration only strengthens the security capabilities of the existing IBM Cloud Secure Virtualization(ICSV) solution offered by IBM Cloud, VMware, HyTrust and Intel. By both building on ICSV trusted infrastructure and utilizing the HyTrust – Hyper Protect Crypto Services element, clients can take advantage of these powerful solutions in an integrated model for the most effective data security controls in the Cloud.
Our commitment to security was on full display at VMworld US in August 2019, when IBM Cloud announced integration of the Caveonix and Fortinet platforms with the IBM Cloud Secure Virtualization solution. This new service package, IBM Cloud VMware Solution for Workload Security and Compliance Readiness, incorporated with the Hyper Protect Crypto Services solution allows IBM Cloud to drive a more comprehensive security approach aimed to protect workloads from different threat vectors in the stack. As a secure by design platform, the IBM Cloud for VMware Solutions has been purpose-built for the most highly regulated and business-critical workloads.