Learning Library

← Back to Library

IBM Cloud Hyper Protect Overview

6mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • Confidential computing in public clouds requires encrypting data **and** ensuring that cloud operators, even with physical access, cannot read your keys or information.
  • IBM Cloud Hyper Protect Services tackles this by offering a tamper‑resistant hardware security module (NHSM) combined with a hardened software stack, providing an isolated “slice” of HSM for each tenant.
  • Unlike typical BYOK models, Hyper Protect uses a “keep‑your‑own‑key” (KYOK) approach where IBM never sees the key material, so customers must run a **key ceremony** to initialize the HSM with their master key.
  • The key ceremony can be performed via IBM’s trusted‑key‑entry CLI or by using smart cards that store portions of the master key, allowing the key to be split across multiple cards and custodians for added security.
  • Once initialized, the HSM stores root and data‑encryption keys that feed into envelope‑encryption workflows, protecting object storage, databases, TLS certificates, and other workloads while keeping the keys under customer control.

Sections

Full Transcript

# IBM Cloud Hyper Protect Overview **Source:** [https://www.youtube.com/watch?v=RIcnXFZWrSI](https://www.youtube.com/watch?v=RIcnXFZWrSI) **Duration:** 00:06:52 ## Summary - Confidential computing in public clouds requires encrypting data **and** ensuring that cloud operators, even with physical access, cannot read your keys or information. - IBM Cloud Hyper Protect Services tackles this by offering a tamper‑resistant hardware security module (NHSM) combined with a hardened software stack, providing an isolated “slice” of HSM for each tenant. - Unlike typical BYOK models, Hyper Protect uses a “keep‑your‑own‑key” (KYOK) approach where IBM never sees the key material, so customers must run a **key ceremony** to initialize the HSM with their master key. - The key ceremony can be performed via IBM’s trusted‑key‑entry CLI or by using smart cards that store portions of the master key, allowing the key to be split across multiple cards and custodians for added security. - Once initialized, the HSM stores root and data‑encryption keys that feed into envelope‑encryption workflows, protecting object storage, databases, TLS certificates, and other workloads while keeping the keys under customer control. ## Sections - [00:00:00](https://www.youtube.com/watch?v=RIcnXFZWrSI&t=0s) **Securing Cloud Data with Hyper Protect** - The speaker outlines how IBM Cloud Hyper Protect services use tamper‑resistant hardware security modules and a secured software stack to keep encryption keys and confidential data hidden from cloud operators, even with physical data‑center access. ## Full Transcript
0:00let's talk about confidential computing 0:02you want to use public cloud services to 0:04minimize upfront costs or maybe to 0:07rapidly develop cloud native 0:08applications 0:09but these applications are going to deal 0:11with confidential information 0:13not only do you want to encrypt the 0:14storage used but you also want to 0:17prevent any cloud operations teams from 0:19getting access to that data even if 0:21they've got physical access to the data 0:23centers themselves 0:26one way that we enable this is with a 0:27set of technologies that we call ibm 0:30cloud hyper protect services 0:32hi i'm chris poole i'm a senior 0:34solutions architect in the ibm 0:35hyperprotect team 0:37in this video i'm going to talk a little 0:39bit about what you can do to ensure your 0:41customers data stays confidential and 0:44then i'll introduce a simple application 0:46that demonstrates a basic use case and 0:49i'll show you how it works 0:50now part of an overall solution to 0:52protect your data is to encrypt it 0:55but now you've transformed the problem 0:56into the problem of how do i secure my 0:58keys 1:00one way to help resolve this issue is to 1:02employ nhsm a hardware security module 1:05this is a physical card a small lockdown 1:08computer that's been engineered to be 1:10tamper resistant 1:12you can store your keys in there and 1:13nobody even with physical access to the 1:15system is going to have access to your 1:17data or your keys 1:20the hyper protect variant of this 1:22your own discrete slice of an hsm 1:24coupled with a secured software stack is 1:26called the ibm cloud hyper protect 1:28crypto services before making use of 1:31hsms they have to be initialized with a 1:33master key which has got ultimate trust 1:35and power 1:36once done the hsm is primed for use the 1:40crypto service and the hsn it users is a 1:42little different from others on the 1:44market that it has the model of keep 1:46your own key not just bring your own key 1:49what this means is that we never see 1:51your key data during the initialization 1:53process 1:54so you don't have to extend your trust 1:55model but it also means that you have to 1:58go through this initialization process 2:00yourself that we call the key ceremony 2:02once initialized the hsm can store root 2:05keys or standard keys which in turn can 2:07be used with technologies like envelope 2:09encryption to be able to protect your 2:11clients data in object storage in 2:14databases or things like tls 2:16certificates 2:19let's do the key ceremony now one 2:20popular way of doing this is with our 2:22trusted key entry command line interface 2:25but another way is to use smart cards 2:27and a smart card reader 2:29these cards in turn can be used to store 2:32master key data in them across multiple 2:33cards so that you can take the different 2:35cards 2:36and place them securely in different 2:39locations and have them owned by 2:41different trusted people within your 2:43organization 2:44let's use these smart cards and 2:46initialize the hsm i'm going to use for 2:48the demo first let's do the first card 2:51for brevity i'm not showing the full 2:52process here 2:57once that's done i can repeat this whole 2:59step with another card or another few 3:01cards 3:10to be able to split the master key 3:12across these different devices 3:14i don't need these cards for day-to-day 3:16use of the hsm only for the 3:18initialization process and for any 3:20future administration 3:22so i can take these cards give them to 3:24different trusted people in my 3:26organization and have them securely 3:28store them at places like bank vaults 3:30then later on if i want to do any 3:32administration of the hsm i can bring 3:35the people and the cards back together 3:38so that we can perform these operations 3:40so the initialization has been done now 3:43let's talk about the demo in my 3:44organization i've got different teams 3:46who each own their own set of cloud 3:48native applications 3:50for cost reduction i want them to all be 3:52able to write to a consolidated database 3:56but i want to be able to isolate the 3:58data between the different teams so one 4:01team can't read the data from another 4:03team 4:04so what i'm going to do here in a very 4:05simple way is to have some different 4:07applications take some input data and 4:09encrypt it with a different key one per 4:11team before storing it in the shared 4:13database 4:14this database by the way is another of 4:16the hyper protect services the 4:18confidentiality requirements obviously 4:20transfer across to the long term data 4:22storage so we have database flavors that 4:24also run within secure enclaves so the 4:27data and the logs are encrypted and 4:29there's no underlying machine access 4:31so let's deploy the applications i've 4:33containerized them into a virtual server 4:35instance in you guessed it another 4:38secure enclave that we call hyper 4:40protect virtual servers 4:42in this way the runtime data is also 4:44protected and only i with the ssh key 4:47injected at service creation time can 4:49access the applications 4:52let's stand up a database instance 4:54on the back end then ssh into the 4:57virtual server start up the applications 5:00and connect it all together so the data 5:02flow is simple the applications expose a 5:04web ui they receive that information 5:07make use of a key port from the crypto 5:08service at runtime to encrypt the data 5:11before storing it in the database on the 5:13back end 5:14let's add some data and use the 5:16applications so i'm entering some data 5:18here storing it in the database and then 5:20i can go to another screen and confirm 5:22that i can retrieve that data from the 5:24database using the key it has in memory 5:26to decrypt the data within the 5:28application runtime 5:30it's all end-to-end encrypted during 5:32transport and at rest 5:34let's switch teams meaning we'll pull a 5:36different key from the crypto service a 5:38different application and let's store 5:40that data before checking we can read it 5:44we can but now let's try to read the 5:46data from the first teams application 5:49it's encrypted we can't read it we've 5:51consolidated our data pool but we've 5:53still kept the teams isolated so these 5:56are the ibm cloud hypertext services 5:58helping my data to stay confidential 6:01so let's summarize what we've just done 6:02here we deployed a secured virtual 6:05server we created a lockdown database 6:08and we created an instance of the hyper 6:10protect crypto service and then 6:12initialized its hsn 6:15using these three different services we 6:17deployed an application that's able to 6:20take data from the end user encrypt that 6:23using different keys for different teams 6:25from the crypto service before pushing 6:27that encrypted data into a consolidated 6:30database 6:31in turn this creates a cohesive 6:33confidential computing platform on ibm 6:36cloud thank you for watching 6:38if you've got any questions please drop 6:39us a line below if you want to see more 6:41videos like this in the future please 6:43like and subscribe and don't forget if 6:45you want to learn more about the ibm 6:46cloud hyper protect services please 6:48check out the links below