IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment

IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment

by Bill White, Robbie Avill, Sandeep Batta, Abhiram Kulkarni, Timo Kußmaul, Stefan Liesche, Nicolas Mäding, Christoph Schlameuß, Peter Szmrecsányi
Released February 2024
Publisher(s): IBM Redbooks
ISBN: 9780738461496

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Protecting workloads and sensitive data throughout their lifecycle is a great concern across all industries and organizations. Increasing demands to accelerate hybrid cloud adoption and integration are changing the way data is securely stored, processed, and accessed.

In addition, regulatory guidelines and standards are causing many businesses and organizations to implement zero trust policies and privacy enhancing techniques to restrict access to workloads as state of least privilege is established. A state of least privilege ensures that no user or workload has any more access to data than is necessary. Confidentiality and integrity assurance for data at rest and data in transit is typically provided through cryptography. Nevertheless, data in use is generally unencrypted while it is processed by the system, which can make data in use accessible to privileged users or workloads.

In the past, data owners relied upon operational assurance to control access to workloads and data. An operational assurance approach ensures that a service provider will not access customer workloads or data through specific operational procedures and measures. However, with today's constant, unpredictable, and always changing cyberthreats, operational assurance is not enough.

A more robust technical assurance approach that is hardware-based is needed. A Trusted Execution Environment (TEE) or confidential computing platform does just that. A TEE ensures that no one can access sensitive workloads and data while in use, not even the service provider. A TEE can also protect the CI/CD pipeline from bad actors, enforce supply chain protection, and provide code integrity through cryptographic proofs and encryption.

This IBM® Redbooks® publication outlines how to apply common concepts of data protection and confidentiality and make use of a privacy-enhancing technology-based solution that can be implemented in a hybrid cloud environment. It describes the TEE technologies that are offered with IBM Z® and IBM LinuxONE (such as IBM Secure Execution for Linux), and how the IBM Hyper Protect Platform uses them.

This publication discusses how the various IBM Hyper Protect services ensure zero trust data-centric security and data privacy end-to-end. It also illustrates the business value through specific use case scenarios, covering relevant aspects of workload creation and evidence collection for regulatory compliance of software supply chains.

This IBM Redbooks publication is for Chief Information Security Officers (CISOs), IT managers, security architects, security administrators, cloud application developers, and anyone who needs to plan, deploy, and manage data security and confidentiality in a hybrid cloud environment. The reader is expected to have a basic understanding of IT security and hybrid cloud concepts.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
      1. Now you can become a published author, too!
      2. Comments welcome
      3. Stay connected to IBM Redbooks
  4. Chapter 1. A hybrid cloud with data security in mind
    1. 1.1 Identifying the threat
    2. 1.2 Beyond regulatory and standard frameworks
    3. 1.3 Mitigating the threat
      1. 1.3.1 Technical assurance
      2. 1.3.2 A Trusted Execution Environment for your application
      3. 1.3.3 Reduced trust boundary and trusted computing base
      4. 1.3.4 Controlling your application with separation of duty
      5. 1.3.5 Exclusive and full control over your cryptographic key
      6. 1.3.6 Support for your application OCI images
      7. 1.3.7 Support for hybrid cloud
    4. 1.4 The solution explained
      1. 1.4.1 The technology underlying the Hyper Protect Platform
      2. 1.4.2 Features of the Hyper Protect Platform
      3. 1.4.3 Cryptography and Hyper Protect Crypto Service
      4. 1.4.4 Hyper Protect Secure Build
  5. Chapter 2. Understanding the solution
    1. 2.1 IBM Hyper Protect services and a secure hybrid cloud
    2. 2.2 IBM Cloud Virtual Private Cloud
      1. 2.2.1 IBM Cloud virtual server instance on IBM LinuxONE
    3. 2.3 Hyper Protect Virtual Server
      1. 2.3.1 Bootloader
      2. 2.3.2 Volume encryption
      3. 2.3.3 Description of the contract
      4. 2.3.4 The attestation record
      5. 2.3.5 Logging
      6. 2.3.6 Hyper Protect layer services
      7. 2.3.7 Hyper Protect Virtual Server for VPC
      8. 2.3.8 Hyper Protect Virtual Server for IBM LinuxONE and IBM Z
      9. 2.3.9 Considerations when deploying workloads in HPVS instances
    4. 2.4 Hyper Protect Secure Build
    5. 2.5 Cryptographic agility is the key to SecDevOps
    6. 2.6 Hyper Protect Crypto Services
      1. 2.6.1 Accessing cryptographic services with HPCS
    7. 2.7 Crypto Express Network API for Secure Execution Enclaves
      1. 2.7.1 Security considerations
    8. 2.8 Storage and repositories in the cloud
      1. 2.8.1 Cloud object storage
      2. 2.8.2 Block storage
      3. 2.8.3 File storage
      4. 2.8.4 On-premises storage
    9. 2.9 Common usages
      1. 2.9.1 Securely bring applications to hybrid cloud
      2. 2.9.2 Digital assets infrastructure
      3. 2.9.3 Confidential AI
      4. 2.9.4 Secure multi-party computation
      5. 2.9.5 Secure distributed cloud
  6. Chapter 3. Making the infrastructure secure
    1. 3.1 The contract
      1. 3.1.1 The workload section
      2. 3.1.2 The workload volumes subsection
      3. 3.1.3 The env section
    2. 3.2 Contract encryption
    3. 3.3 Contract certificates
    4. 3.4 Attestation
    5. 3.5 Logging for HPVS instances
    6. 3.6 Encrypting data volumes
  7. Chapter 4. Application development in a trusted environment
    1. 4.1 Securing the application lifecycle
      1. 4.1.1 Development
      2. 4.1.2 Test
      3. 4.1.3 Build
      4. 4.1.4 Release
      5. 4.1.5 Deployment
      6. 4.1.6 Update
      7. 4.1.7 Application and service development
      8. 4.1.8 Working with the log
      9. 4.1.9 Deployment automation - Terraform
    2. 4.2 Build container image by using Hyper Protect Secure Build
      1. 4.2.1 Determine readiness
      2. 4.2.2 Install the secure build CLI
      3. 4.2.3 Create client and server certificates for secure build
      4. 4.2.4 Prepare user_data.yaml
      5. 4.2.5 Create the Hyper Protect Secure Build instance
      6. 4.2.6 Configure the HPSB client with the HPVS IP address
    3. 4.3 Zero knowledge proofs: TLS server certificates and wrapped secrets
      1. 4.3.1 Passing secrets into a secure HPVS
      2. 4.3.2 Certificate benefits
      3. 4.3.3 Importing server certificate from contract
      4. 4.3.4 Random number generation
      5. 4.3.5 Reverse proxy
      6. 4.3.6 Basic web server (nginx) hardening
      7. 4.3.7 Offloading NGINX TLS to HPCS
    4. 4.4 Trust in-depth based on boot flow attestation
    5. 4.5 Data storage
      1. 4.5.1 Encrypting block storage
      2. 4.5.2 Encryption state
      3. 4.5.3 Upgrade, backup, and disaster recovery
      4. 4.5.4 High Availability
    6. 4.6 Securing cloud native services
      1. 4.6.1 Confidential cluster
      2. 4.6.2 Confidential containers
      3. 4.6.3 Confidential service platform
    7. 4.7 Secure supply chain with SLSA
      1. 4.7.1 Jenkins
      2. 4.7.2 Source-to-image (S2I)
      3. 4.7.3 GitHub Actions
  8. Appendix A. Client contract setup sample files
    1. Sample YAML file with literal scalars
    2. Sample YAML file with double-quoted scalars
    3. Sample script for certificate or key files
  9. Appendix B. Creating a Hyper Protect Virtual Server for VPC
    1. Using the IBM Cloud VPC UI
  10. Appendix C. Additional examples for HPSB and HPVS
    1. Hyper Protect Secure Build log
    2. How to verify disk (volume) encryption with HPL13000I
  11. Appendix D. Encryption keys explained
    1. What is a master key (MK)
    2. What are data encryption keys (DEKs)
    3. What are key encryption keys (KEKs)
    4. Using and protecting keys
    5. How encryption keys are created using GREP11
  12. Back cover

Product information

  • Title: IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment
  • Author(s): Bill White, Robbie Avill, Sandeep Batta, Abhiram Kulkarni, Timo Kußmaul, Stefan Liesche, Nicolas Mäding, Christoph Schlameuß, Peter Szmrecsányi
  • Release date: February 2024
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738461496