Hyper Protect Your Data with Linux on Z and LinuxONE in the Cloud
By John Currie
In 2017, based on early discussions with enterprise clients, we realized that most mission-critical workloads weren’t being migrated to the public cloud. Our customers still had concerns about the security, scalability and resilience of public clouds. So we asked ourselves: What if we could take our most trusted platform—IBM Z—and put it in the IBM Public Cloud as LinuxONE? And so, our confidential computing mission with IBM Cloud Hyper Protect Services was born.
For our traditional Z customers, this would be a natural progression. They would keep the enterprise qualities they liked, while gaining the flexibility and agility of the cloud. As for the wider community, they would be interested more in the enhanced cloud services than the platform, and also in the enterprise qualities such as security and scalability, hence appealing to an entirely new audience.
Because a core value proposition of cloud computing is its ability to host multiple tenants, the primary benefit of IBM LinuxONE in the public cloud would be protecting customer data and applications—both from other tenants and from rogue administrators. Specifically, IBM LinuxONE in the public cloud provided a secure enclave, guaranteeing workload isolation. It enabled top-to-bottom encryption management, with customers able to create and manage their own keys. And it protected data by leveraging pervasive encryption methods, both during runtime and at rest.
IBM Cloud Hyper Protect Services, all built on IBM LinuxONE and running in the IBM Cloud, provide key security differentiation in that these services provide customers complete authority over their data, workloads and encryption keys. Even IBM Cloud admins have no access.
- IBM Cloud Hyper Protect Crypto Services is a fully managed, dedicated key management and Cloud Hardware Security Module (HSM) service. This is the only service in the industry built on FIPS 140-2 Level 4-certified hardware. The service allows customers to have exclusive control over their encryption keys. IBM refers to this capability as Keep Your Own Key (KYOK).
- IBM Cloud Hyper Protect DBaaS is designed to provide enterprises complete data confidentiality for their highly sensitive data in the public cloud. The databases currently supported are PostgreSQL and MongoDB EE.
- IBM Cloud Hyper Protect Virtual Servers are designed to provide complete authority over an enterprise’s LinuxONE Virtual Servers for workloads with sensitive data or business IP.
Solitaire Interglobal Ltd (SIL) was an early IBM Cloud Hyper Protect Services client. Its Wenebojo offering—named for a character in the Ojibwe First Nations oral storytelling tradition—enables people with challenges such as vision or hearing loss to enjoy stories in an accessible form. SIL’s original content needed to be highly protected so they could continue to develop more stories.
When IBM started collaboration with Bank Of America to launch the IBM Cloud for Financial Services, keep-your-own-key with Hyper Protect Crypto Services became a core part of the level of security banks needed to consider moving their workloads to the cloud. IBM launched the world’s first financial services-ready public cloud in November 2019, and made it available to additional clients in July 2020.
Daimler recently expanded its relationship with IBM and adopted public cloud. Only Hyper Protect Services were able to meet the stringent security controls that Daimler was looking for to protect their highly sensitive data in the public cloud.
Hyper Protect Services are also the underpinning for the Hyper Protect Digital Assets Platform. For institutional investors, exchanges, banks and corporations using digital assets, confidential computing becomes key to store and transfer assets securely, quickly, whilst maintaining control of the encryption keys.
Powered by IBM Hyper Protect Virtual Servers, the platform is available on premises with IBM LinuxONE or Linux on IBM Z. The platform is also available in the public cloud with IBM Cloud Hyper Protect Services. We have seen tremendous interest in this space with customers such as Hex Trust and Onchain Custodian are enjoying the benefits of the platform.
We’re also working with fintechs and healthtech start-ups through the IBM Hyper Protect Accelerator Program, helping them build innovative new applications based on a scalable and secure platform. They provide the ideas, and we support them with technical workshops, business mentors, and access to IBM Cloud Hyper Protect Services running on LinuxONE.
So … what’s next?
We’re continuing to mature our offerings and add additional capabilities to enable our clients‘ hybrid cloud journey. And we’re doing it both by leveraging Hyper Protect Services to further IBM’s Confidential Computing mission and by planning future expansion into other industry specific clouds.
John Currie is Program Director for IBM ZaaS Offering Management, Strategy, and Client Success.