IBM Hyper Protect Virtual Servers v2.1 is now available
The need to protect sensitive business data and intellectual property is continuing to grow and affects more than just large or regulated organisations. The need for protection against internal and external threats is always present, while the cost of resolution and the number of data or security-related breaches is growing. In parallel, the trend to run containerised applications in production has significantly increased in recent years and is continuing to grow.
IBM Hyper Protect Virtual Servers has addressed the need for data and privacy protection during deployment and production since its first release. The protection against internal and external threats begins during development and continues in production environments. Hyper Protect Virtual Servers continues to evolve and leverage the latest technologies. Key Hyper Protect Virtual Servers capabilities include data-in-use protection and simplified management of deployment while assuring data confidentiality, integrity, and no interactive access to a deployed instance.
These capabilities are leveraged for example by Phoenix Systems - one of the fastest growing cloud companies in Europe and Switzerland. "We are dedicated to provide customers simplicity and data sovereignty. As our customers bring their sensitive data and workloads to the virtual datacenter of Phoenix Systems, they do not have to worry about the infrastructure underneath." the Co-Founder and CTO of Phoenix Systems, Thomas Taroni, outlines. "Phoenix Systems leverages IBM LinuxONE server and Hyper Protect Virtual Servers, which provide confidential computing and simplifies compliance with regulatory requirements like the Swiss Data Protection Law.So customers can focus on and scale their business, while the physical infrastructure is taken care of.“
IBM Hyper Protect Virtual Servers 2.1 extends the Confidential Computing solution portfolio, leveraging IBM Secure Execution for Linux to provide the next generation of workload isolation, granularity, and scale on IBM zSystems and IBM LinuxONE to help protect data and workloads from internal and external threats. It offers protection for Linux workloads processing sensitive data with confidential computing throughout their lifecycle – across build, deployment, and management to fulfil compliance and regulation requirements.
Key use cases are:
- Secure Containerised Workloads
Whether you are building a cloud native application, or on an application modernisation journey, you can now do both with peace of mind by leveraging IBM’s Secure Execution technology. Containerising applications within a Confidential Computing environment helps ensure that your applications are protected. Even the system admin or operator doesn’t have access, and workloads are isolated by a secure boundary to prevent privileged user escalation
IBM Digital Asset Infrastructure provides the building blocks to create end-to-end solutions for storing and transferring large quantities of digital assets in highly secure wallets is based upon Hyper Protect Virtual Servers and the ability to leverage IBM’s Crypto Express adapter to perform the cryptographic operations in a FIPS140-2 level 4 certified Hardware Security Module. Customers can utilize Hyper Protect Secure Build to further enhance their security posture. This technology validates code before it is deployed to a container, ensuring that only verified code is allowed to run, ultimately reducing malware threats, and misconfigurations
- Secure Multi Party Computation (MPC)
Protect privacy of all participants from each other, while performing joint computation through MPC enabling cryptography. This isolates each participant from the infrastructure provider of their system, by protecting their secrets with IBM’s Secure Execution technology. IBM Hyper Protect Virtual Servers can provide an implementation of a trusted computation agent staying true to its data privacy promise.
Hyper Protect Virtual Servers 2.1 provides clients the following new benefits:
- Flexible deployments in Linux hypervisors
Secure Execution for Linux enables deployment of isolated workloads protected by Confidential Computing at scale, and enables client-defined middleware and hypervisor. With this, Hyper Protect Virtual Servers can be integrated into a virtualised Linux environment and no longer needs an isolated logical partition (LPAR) on the system. The protection boundary moves from the LPAR level, which includes the operating system and application, to complete isolation of the application from the operating system. Client code and data are exclusively controlled by their administrators, no exceptions.
- Leverage common infrastructure for container registry, logging and management
- Support customer provided container registry in addition to any public registries like IBM Container Registry, DockerHub or Linux Distribution provided Base Container registry
- During deployment, a remote LogDNA instance can be provided to get per-deployment relevant, workload-specific logging information reported with encrypted data-in-flight.
- Multiparty contract and attestation of deployment
Apply Zero Trust principles from workload development through deployment. As multiple personas and legal entities collaborate, it is essential to separate duty and access. Hyper Protect Virtual Servers is based on a newly introduced encrypted contract concept, which enables each persona to provide its contribution, while being ensured through encryption that none of the other personas can access this data or intellectual property. The deployment can be validated by an auditor persona through an attestation record, which is signed and encrypted to ensure only the auditor has this level of insight.
- Integrated data-at-rest protection
Uses a Linux Unified Key Setup (LUKS) encryption passphrase only present within the Trusted Execution Environment and based on a key derivation during deployment, based on seeds provided by the workload and environment persona.
- Container runtime and malware protection
Any Open Container Initiative (OCI) image gains the benefit of a Confidential Computing solution with an additional level of protection. Hyper Protect Virtual Servers 2.1 will only deploy container versions which are validated at deployment through explicit digest or are signed.
- Access a Crypto Express adapter in Enterprise PKCS#11 (EP11) mode
The usage of a Hardware Security Module (HSM) to protect keys is common for many use cases. To enable such solutions directly attach a Crypto Express adapter to a dedicated Secure Service Container LPAR and deploy the Crypto Express Network API for Secure Execution Enclaves provided as component of Hyper Protect Virtual Servers within. As the also provided Grep11 server is deployed in the Hyper Protect Container runtime EP11 operations are now performed in the HSM which communication is secured through an mTLS-protected network channel from the Trusted Execution Environment.
The following diagram summaries the two deployment artefacts now available as Hyper Protect Virtual Servers:
Get started today
For more information on this product, checkout the Solution brief , the product webpage or contact your local IBM Sales Team.
Find the IBM Hyper Protect Virtual Servers v2.1 documentation here and reach out to our Hyper Protect client acceleration team for a trial license.
There is a companion offering available in IBM Cloud's Virtual Private Cloud. Provisioning, deployment and management all occur through the standard IBM Cloud Virtual Servers for VPC catalog page. Check out the documentation for additional help.