Skip to main content

IBM Hyper Protect Platform: Applying Data Protection and Confidentiality in a Hybrid Cloud Environment

An IBM Redbooks publication


Published on 23 February 2024

  1. .EPUB (1.1 MB)
  2. .PDF (2.4 MB)

Apple BooksGoogle Play Books

Share this page:   

ISBN-10: 0738461490
ISBN-13: 9780738461496
IBM Form #: SG24-8555-00

Authors: Bill White, Robbie Avill, Sandeep Batta, Abhiram Kulkarni, Timo Kußmaul, Stefan Liesche, Nicolas Mäding, Christoph Schlameuß and Peter Szmrecsányi

    menu icon


    Protecting workloads and sensitive data throughout their lifecycle is a great concern across all industries and organizations. Increasing demands to accelerate hybrid cloud adoption and integration are changing the way data is securely stored, processed, and accessed.

    In addition, regulatory guidelines and standards are causing many businesses and organizations to implement zero trust policies and privacy enhancing techniques to restrict access to workloads as state of least privilege is established. A state of least privilege ensures that no user or workload has any more access to data than is necessary. Confidentiality and integrity assurance for data at rest and data in transit is typically provided through cryptography. Nevertheless, data in use is generally unencrypted while it is processed by the system, which can make data in use accessible to privileged users or workloads.

    In the past, data owners relied upon operational assurance to control access to workloads and data. An operational assurance approach ensures that a service provider will not access customer workloads or data through specific operational procedures and measures. However, with today's constant, unpredictable, and always changing cyberthreats, operational assurance is not enough.

    A more robust technical assurance approach that is hardware-based is needed. A Trusted Execution Environment (TEE) or confidential computing platform does just that. A TEE ensures that no one can access sensitive workloads and data while in use, not even the service provider. A TEE can also protect the CI/CD pipeline from bad actors, enforce supply chain protection, and provide code integrity through cryptographic proofs and encryption.

    This IBM® Redbooks® publication outlines how to apply common concepts of data protection and confidentiality and make use of a privacy-enhancing technology-based solution that can be implemented in a hybrid cloud environment. It describes the TEE technologies that are offered with IBM Z® and IBM LinuxONE (such as IBM Secure Execution for Linux), and how the IBM Hyper Protect Platform uses them.

    This publication discusses how the various IBM Hyper Protect services ensure zero trust data-centric security and data privacy end-to-end. It also illustrates the business value through specific use case scenarios, covering relevant aspects of workload creation and evidence collection for regulatory compliance of software supply chains.

    This IBM Redbooks publication is for Chief Information Security Officers (CISOs), IT managers, security architects, security administrators, cloud application developers, and anyone who needs to plan, deploy, and manage data security and confidentiality in a hybrid cloud environment. The reader is expected to have a basic understanding of IT security and hybrid cloud concepts.

    Table of Contents

    Chapter 1. A hybrid cloud with data security in mind

    Chapter 2. Understanding the solution

    Chapter 3. Making the infrastructure secure

    Chapter 4. Application development in a trusted environment

    Appendix A. Client contract setup sample files

    Appendix B. Creating a Hyper Protect Virtual Server for VPC

    Appendix C. Additional examples for HPSB and HPVS

    Appendix D. Encryption keys explained


    Others who read this also read