Written by Sandeep Batta and Wen Ting Li
In an increasingly digital world, safeguarding crown-jewel data—your most valuable and sensitive information—is more critical than ever. With advancements in technology and evolving threats, it's essential to understand how to protect your data both in use and at rest, and to prepare for future threats like quantum computing.
Current data protection strategies and future challenges
Securing data throughout its lifecycle is essential for maintaining its confidentiality and integrity. When it comes to data at rest, encryption is the cornerstone of protection. This process transforms stored data into an unreadable format unless decrypted with the proper key, ensuring that even if storage systems are breached, the data remains secure and inaccessible to unauthorized individuals.
For data in use, Confidential Computing is a groundbreaking technology that uses secure enclaves to protect unencrypted-data that is loaded into the servers memory for processing. By isolating data within these secure environments, Confidential Computing ensures that sensitive information remains safeguarded from unauthorized access, even when actively in use.
Looking ahead, the rise of quantum computing poses new threats to traditional encryption methods due to its potential to solve complex problems faster than current/classical computers. To counter this, organizations need to implement post-quantum strategies “today” to future-proof data security against the evolving landscape of technological threats.
IBM LinuxONE and Hyper Protect Services
IBM LinuxONE is a high-performance, secure server platform designed to handle complex workloads with exceptional reliability and scalability. IBM Hyper Protect Services leverages the Reliability, Availability and Security (RAS) capabilities of the LinuxONE to provide game changing services on IBM Cloud and on-premises to address the data security challenges of today and in the post-quantum world.
Hyper Protect Services on IBM LinuxONE provides you the following capabilities:
- Confidential Computing - to ensure that data remains encrypted even during processing.
- Encryption Key Lifecycle Management - for centralized management and orchestration of enterprise wide encryption keys with Unified Key Orchestrator (UKO).
- Post-Quantum Security - to resist post-quantum computing threats, with Crypto Express cards on IBM LinuxONE that support NIST approved quantum-safe algorithms.
Use cases for IBM Hyper Protect Services on LinuxONE
Confidential Computing to protect financial transactions
To protect financial transactions with Confidential Computing with IBM LinuxONE, secure enclaves can be used to process sensitive data in isolation from other workloads, ensuring confidentiality and integrity even in cloud-based shared environments. For example, a financial institution might use Confidential Computing to process transactions securely. By isolating transaction data in secure enclaves, the institution can ensure that sensitive financial details are protected against potential threats, even if the underlying infrastructure is compromised.
The Payment Application use case demonstrates how IBM Hyper Protect Services on LinuxONE can secure sensitive payment data using confidential computing. The front-end, developed with Node.js, and the back-end, implemented in Python, operate within Virtual Secure Instances (VSIs) to protect against internal and external threats, including those with root access. This setup ensures that all payment data and operations remain secure and confidential, leveraging a confidential computing contract to safeguard data in use. For more information, see the technical demo: Confidential Computing for a financial transaction.
The Digital Wallet use case demonstrates how sensitive transaction data in a digital wallet is processed securely within a protected enclave, ensuring the data remains confidential and tamper-proof throughout its lifecycle. You can find more details in “Secure a digital wallet in the public cloud”. In the diagram below, a Secure Build Server (SBS) is used to protect the build pipeline as well, in addition to protecting the Digital Wallet application, using Hyper Protect Services.
Digital Assets Protection
Protecting digital assets, such as source code, proprietary data, and intellectual property, is crucial for maintaining competitive advantage. Hyper Protect Services offer advanced encryption and tokenization solutions to secure these assets. For instance, a tech company could utilize Hyper Protect Services to encrypt and secure its source code. This ensures that only authorized personnel can access and modify critical assets, protecting the company’s intellectual property from theft or unauthorized alterations.
The File-based Digital Assets use case illustrates how IBM LinuxONE can safeguard file-based digital assets by encrypting them with signing services encrypted by quantum-safe algorithms, which is further protected by a key from the Hardware Security Module (HSM) of IBM LinuxONE, ensuring the highest level of cryptographic security. Read this blog post for more info on how Knox Networks Enhances Security with IBM Hyper Protect Crypto Services HSM for FIPS Compliance.
Post-Quantum Computing Security
As quantum computing advances, traditional encryption methods may become vulnerable. IBM Hyper Protect Services include post-quantum cryptographic algorithms to protect data against these future threats. A government agency, for example, might implement post-quantum cryptography on LinuxONE to secure classified information. This ensures that even if quantum computers become capable of breaking current encryption standards, the agency’s sensitive data remains protected.
The Quantum Safe Code and Document Signing use case shows how post-quantum cryptographic algorithms are used to protect critical data, such as classified government information, ensuring long-term security against quantum computing threats. For details, you can refer to the code samples.
Encryption Services
IBM LinuxONE, combined with Hyper Protect Services, offers comprehensive encryption solutions for data at rest, in transit, and during processing. An e-commerce platform, for example, might use these services to encrypt customer data from the point of collection through storage and processing. This ensures comprehensive data protection, safeguarding customer information against breaches and unauthorized access.
In the LinuxONE Encryption Services use case, LinuxONE Encryption Services enhance data-at-rest security by wrapping the LUKS passphrase with an encryption key created by a FIPS 140-2 Level 4 certified Hardware Security Module (HSM). Utilizing IBM Hyper Protect Crypto Services (HPCS), the root key generated within the HPCS encrypts the LUKS passphrase, ensuring robust protection for sensitive data stored on Linux servers through secure key management. It ensures seamless encryption and key management, providing robust data protection across different systems and platforms. For more information, refer to the tutorial.
Reference
IBM Hyper Protect Services on LinuxONE provide a comprehensive solution for securing crown-jewel data in today’s complex IT landscape. By addressing current and future security challenges these services offer robust protection for your most sensitive information. For more information or to explore these solutions further, visit the Confidential Computing with IBM web page and or contact IBM experts.
The following tutorials and code samples can provide you with more solutions based on Hyper Protect Services. Some of the examples are demonstrated using a public cloud environment, but they can be replicated in the LinuxONE environment as well: