Book description
Protecting workloads and sensitive data throughout their lifecycle is a great concern across all industries and organizations. Increasing demands to accelerate hybrid cloud adoption and integration are changing the way data is securely stored, processed, and accessed.
In addition, regulatory guidelines and standards are causing many businesses and organizations to implement zero trust policies and privacy enhancing techniques to restrict access to workloads as state of least privilege is established. A state of least privilege ensures that no user or workload has any more access to data than is necessary. Confidentiality and integrity assurance for data at rest and data in transit is typically provided through cryptography. Nevertheless, data in use is generally unencrypted while it is processed by the system, which can make data in use accessible to privileged users or workloads.
In the past, data owners relied upon operational assurance to control access to workloads and data. An operational assurance approach ensures that a service provider will not access customer workloads or data through specific operational procedures and measures. However, with today's constant, unpredictable, and always changing cyberthreats, operational assurance is not enough.
A more robust technical assurance approach that is hardware-based is needed. A Trusted Execution Environment (TEE) or confidential computing platform does just that. A TEE ensures that no one can access sensitive workloads and data while in use, not even the service provider. A TEE can also protect the CI/CD pipeline from bad actors, enforce supply chain protection, and provide code integrity through cryptographic proofs and encryption.
This IBM® Redbooks® publication outlines how to apply common concepts of data protection and confidentiality and make use of a privacy-enhancing technology-based solution that can be implemented in a hybrid cloud environment. It describes the TEE technologies that are offered with IBM Z® and IBM LinuxONE (such as IBM Secure Execution for Linux), and how the IBM Hyper Protect Platform uses them.
This publication discusses how the various IBM Hyper Protect services ensure zero trust data-centric security and data privacy end-to-end. It also illustrates the business value through specific use case scenarios, covering relevant aspects of workload creation and evidence collection for regulatory compliance of software supply chains.
This IBM Redbooks publication is for Chief Information Security Officers (CISOs), IT managers, security architects, security administrators, cloud application developers, and anyone who needs to plan, deploy, and manage data security and confidentiality in a hybrid cloud environment. The reader is expected to have a basic understanding of IT security and hybrid cloud concepts.
Table of contents
- Front cover
- Notices
- Preface
-
Chapter 1. A hybrid cloud with data security in mind
- 1.1 Identifying the threat
- 1.2 Beyond regulatory and standard frameworks
-
1.3 Mitigating the threat
- 1.3.1 Technical assurance
- 1.3.2 A Trusted Execution Environment for your application
- 1.3.3 Reduced trust boundary and trusted computing base
- 1.3.4 Controlling your application with separation of duty
- 1.3.5 Exclusive and full control over your cryptographic key
- 1.3.6 Support for your application OCI images
- 1.3.7 Support for hybrid cloud
- 1.4 The solution explained
-
Chapter 2. Understanding the solution
- 2.1 IBM Hyper Protect services and a secure hybrid cloud
- 2.2 IBM Cloud Virtual Private Cloud
-
2.3 Hyper Protect Virtual Server
- 2.3.1 Bootloader
- 2.3.2 Volume encryption
- 2.3.3 Description of the contract
- 2.3.4 The attestation record
- 2.3.5 Logging
- 2.3.6 Hyper Protect layer services
- 2.3.7 Hyper Protect Virtual Server for VPC
- 2.3.8 Hyper Protect Virtual Server for IBM LinuxONE and IBM Z
- 2.3.9 Considerations when deploying workloads in HPVS instances
- 2.4 Hyper Protect Secure Build
- 2.5 Cryptographic agility is the key to SecDevOps
- 2.6 Hyper Protect Crypto Services
- 2.7 Crypto Express Network API for Secure Execution Enclaves
- 2.8 Storage and repositories in the cloud
- 2.9 Common usages
- Chapter 3. Making the infrastructure secure
-
Chapter 4. Application development in a trusted environment
- 4.1 Securing the application lifecycle
- 4.2 Build container image by using Hyper Protect Secure Build
- 4.3 Zero knowledge proofs: TLS server certificates and wrapped secrets
- 4.4 Trust in-depth based on boot flow attestation
- 4.5 Data storage
- 4.6 Securing cloud native services
- 4.7 Secure supply chain with SLSA
- Appendix A. Client contract setup sample files
- Appendix B. Creating a Hyper Protect Virtual Server for VPC
- Appendix C. Additional examples for HPSB and HPVS
- Appendix D. Encryption keys explained
- Back cover
Product information
- Title: IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment
- Author(s):
- Release date: February 2024
- Publisher(s): IBM Redbooks
- ISBN: 9780738461496
You might also like
book
Building a Next-Gen SOC with IBM QRadar
Discover how different QRadar components fit together and explore its features and implementations based on your …
book
Ten Things to Know About ModelOps
The past few years have seen significant developments in data science, AI, machine learning, and advanced …
book
Evidence-Based Security
The business world faces an interesting paradox: although companies spend more money than ever on security …
book
PCI DSS Version 4.0 - A guide to the payment card industry data security standard
The PCI DSS (Payment Card Industry Data Security Standard) is now on its fourth version. The …