IBM Confidential Computing - Max Fang's Notes

# IBM Confidential Computing Links: [[IBM]], [[Confidential Computing]], [[SGX]], [[FHE]], [[AMD SEV|SEV]] - [Blog posts tagged with `confidential computing`](https://www.ibm.com/blogs/research/tag/confidential-computing/) (only 1) **IBM has:** - **[[IBM Cloud Data Shield]]** which uses [[SGX|Intel SGX]] - **[[IBM Cloud Hyper Protect]] Services** based on their own "FIPS 140-2 Level 4 certified cloud hardware security module" - **[[IBM Fully Homomorphic Encryption]]** - **IBM Secure Execution for Linux** - Early efforts to use [[AMD SEV]]: See [[IBM AMD SEV]] - Collaboration with [[Enarx]] ## See also ### - [[IBM Cloud Data Shield]] ([[SGX]]) ### - [[IBM Cloud Hyper Protect]] (Custom) ### - [[IBM Fully Homomorphic Encryption]] ([[FHE]]) ### - [[IBM AMD SEV]] ([[AMD SEV|SEV]]) ### Summary of IBM's offerings ![[Confidential Computing#IBM's confidential computing initiatives]] ## [Confidential computing on IBM Cloud](https://www.ibm.com/cloud/confidential-computing) (Main page) *Protect your data at rest, in transit and in use. Get a higher level of privacy assurance.* Sections - [Read the "smart paper"](https://www.ibm.com/cloud/smartpapers/confidential-computing-for-total-privacy-assurance/) (a webpage with high level info) - [Read the report](https://www.ibm.com/downloads/cas/M5LDGM8L) (15 page pdf, high level) - Client stories - In the news - Related products and services - [IBM Cloud® Data Shield](https://www.ibm.com/cloud/data-shield): Convert, ==attest== and run containerized applications in secured enclaves with data-in-use-protection. See [[IBM Cloud Data Shield]] - [IBM Cloud® Hyper Protect Crypto Services](https://www.ibm.com/cloud/hyper-protect-crypto): Take exclusive control of encryption keys in a single-tenant key management system with hardware security modules (HSM). - [IBM Cloud® Hyper Protect Virtual Servers](https://www.ibm.com/cloud/hyper-protect-virtual-servers): Gain complete authority over Linux®-based virtual servers for workloads with sensitive data and business IP in the cloud. - [IBM Cloud® Hyper Protect DBaaS](https://www.ibm.com/cloud/hyper-protect-dbaas): Provision, manage, maintain and monitor databases, including MongoDB and PostgreSQL, in a 100% tamper-proof environment. - [IBM® Secure Execution for Linux](https://www.ibm.com/downloads/cas/O158MBWG) (pdf): Isolate workloads at granularity, scale and protect them from cyber threats through a trusted execution environment (TEE). - Learn the basics - [The basics of confidential computing](https://www.ibm.com/cloud/learn/confidential-computing): Learn about confidential computing and why it’s so important. - [Video walk-through for use cases](https://mediacenter.ibm.com/id/1_p7edp0f2): Examine key use cases that reveal how confidential computing helps assure that your data is protected and confidential. (8:42) - [Introduction to Hyper Protect Services](https://mediacenter.ibm.com/id/1_x0sslgx5): Learn how IBM Cloud® Hyper Protect Services provide confidential computing solutions. (5:51) ## [Confidential Computing](https://www.ibm.com/cloud/learn/confidential-computing) IBM Cloud "Learn" page, [[2020-10-16]] - Nothing really concrete or technical Today, IBM delivers production-ready Confidential Computing, to protect data, applications and processes at scale for a broad spectrum of clients. Clients like [Daimler](https://newsroom.ibm.com/2020-07-01-Daimler-Expands-Relationship-with-IBM-Adopts-IBM-public-cloud-for-its-security-capabilities) and companies including ISVs, and ==SaaS vendors in fast moving markets like digital asset custody and other financial areas== are already working with us to keep their enterprise-class data protected. We have also brought this same technology to Apple CareKit via the IBM Hyper Protect Software Development Kit (SDK) for iOS available in the Apple CareKit open source GitHub community. This SDK helps developers build healthcare applications that are HIPAA-Ready running on Apple devices with features that address unauthorized party access to their data in the IBM Cloud. - *Digital asset custody*, interesting... ## [The Next Frontier in Security: Confidential Computing](https://newsroom.ibm.com/confidential-computing) *By Rohit Badlaney, VP of IBM Z Hybrid Cloud & Hillery Hunter, VP & CTO, IBM Cloud* for IBM "Newsroom" (no date) (Excerpts) Links: [[Enarx]], [[Organizations/Open-source/Red Hat]], [[FHE]], [[IBM Fully Homomorphic Encryption]] ### IBM seems to be heavily invested in [[Confidential Computing]] For IBM, one key area we’re focused on is [Confidential Computing](https://confidentialcomputing.io/2020/06/04/ieee-what-is-confidential-computing/) – a concept that has moved quickly from research projects into fully deployed offerings across the industry. In order to deliver Confidential Computing, we believe a technology provider must provide protection across the entirety of the compute lifecycle – which includes everything from the build process and key management to the security of data services. Failure to fully protect any of these layers can leave a client's business process exposed. IBM has been investing in Confidential Computing technologies for over a decade and is on its fourth generation of the technology, delivering on end-to-end Confidential Computing for its clients’ cloud computing for more than two years. From IBM’s point of view, data protection is only as strong as the weakest link in end-to-end defense – meaning that data protection should be holistic. Companies of all sizes require a dynamic and evolving approach to security focused on the long-term protection of data. Solutions that might rely on operational assurance alone simply do not meet our standards. IBM [first announced](https://newsroom.ibm.com/IBM-cloud?item=30335) our generally-available Confidential cloud computing capabilities in 2018 with the release of [IBM Cloud Hyper Protect Services](https://www.ibm.com/cloud/hyper-protect-services) and [IBM Cloud Data Shield.](https://www.ibm.com/cloud/data-shield) The family of IBM Hyper Protect Cloud Services is built with secured enclave technology that integrates hardware and software and leverages the industry’s first and only FIPS 140-2 Level 4 certified cloud hardware security module (HSM) to provide end-to-end protection for clients’ entire business processes. IBM Cloud Data Shield provides technology that helps developers to seamlessly protect containerized cloud native applications, without needing any code change. ### Compliance Over the past year, along with several feature enhancements, the services have also helped enterprises meet key compliance requirements relating to whether their data will be secured in the public cloud. This includes GDPR, ISO 27K, IRAP Protected and SOC 2 Type 1 reports. In addition, the devices are HIPAA ready. Over the last few months, we have made several announcements showcasing momentum in this area: - [**IBM Cloud for Financial Services:**](https://newsroom.ibm.com/2019-11-06-IBM-Developing-Worlds-First-Financial-Services-Ready-Public-Cloud-Bank-of-America-Joins-as-First-Collaborator) Built on IBM public cloud, our financial services cloud offering is powered by the same industry-leading Confidential Computing security found in IBM Z. Delivered via IBM Hyper Protect Services, it features ‘Keep Your Own Key’ encryption capabilities backed by FIPS 140-2 Level 4 certification, making the IBM public cloud the industry’s most secure and open public cloud for business. - [**IBM Secure Execution for Linux:**](https://www.ibm.com/blogs/systems/secure-z-linuxone/) Announced in April 2020, IBM Secure Execution for Linux, is a Trusted Execution Environment enabling clients to isolate large numbers of workloads with granularity and at scale, designed to help protect from internal and external threats across the hybrid cloud. Secure Execution is designed for data integrity protection. - With [IBM z15,](https://www.ibm.com/products/z15) clients can gain security advantages to protect data with memory and scale. Announced in September 2019, IBM z15 offers up to 16TB of secured memory. - Protecting containerized workloads with [IBM Cloud Data Shield:](https://www.ibm.com/cloud/data-shield) With IBM Cloud Data Shield, you can protect the data in your containerized workloads, that run on Kubernetes Service and Red Hat OpenShift clusters, while your data is in use. OpenShift support was introduced this year. Data Shield leverages hardware based secure memory encryption based on Intel SGX technology. - Open industry leadership and open source with Red Hat: We announced [Project Enarx](https://next.redhat.com/2019/08/16/trust-no-one-run-everywhere-introducing-enarx/) which aims to make it simple to deploy workloads to a variety of Trusted Execution Environments (TEEs) in the public cloud, on your premises or elsewhere. Red Hat is also part of the industry consortium, [[Confidential Computing Consortium]], to drive open standards and approach in this space. - [**Fully Homomorphic Encryption Toolkits:**](https://developer.ibm.com/blogs/new-open-source-security-tools-let-you-develop-on-encrypted-data/?lnk=ushpv18dt) We are taking innovative steps to protect data in use such as through Fully Homomorphic encryption. In June we [announced](https://developer.ibm.com/blogs/new-open-source-security-tools-let-you-develop-on-encrypted-data/?lnk=ushpv18dt) new toolkits enabling MacOS and iOS developers to experiment with Fully Homomorphic Encryption (FHE) to keep data protected and processed simultaneously. Later this month, we will be announcing a new FHE toolkit for Linux, bringing FHE to multiple Linux distributions for IBM Z and x86 architectures. - Interesting... ## ["Protecting and storing data for a mobile bank app"](https://developer.ibm.com/blogs/protecting-and-storing-data-for-a-mobile-bank-app/) [[2021-10-18]] (full article) - Explains how the "Hyper Protect" services work In the [Secure a cloud-native application on IBM Cloud for Financial Services](https://developer.ibm.com/patterns/secure-a-cloud-native-application-on-ibm-cloud-for-financial-services/) code pattern, I showcase how to integrate IBM Cloud Hyper Protect Services in the Example Bank application to encrypt and secure data. To understand the process of integration, you must understand different terminologies such as _bring your own key (BYOK)_, _keep your own key (KYOK)_, _key ceremony_, _database as a service (DBaaS)_ and _envelope encryption_. Although you can find information about these key concepts about the Hyper Protect Services scattered across the web, this blog post is my attempt to bring them together into one single point of reference. Sensitive data should be stored encrypted in the cloud. However, the key that is used to encrypt and decrypt the data should also be protected. Setting up on-premises hardware security modules (HSMs) can sometimes be hard to manage if you’re not already familiar with it. An inexpensive solution is to use cloud-based storage, but that has its own challenges. In this approach, you can’t be sure that the data is secured as the key that is used to encrypt the data, also known as the data encryption key (DEK), is spread in multiple computers. The solution that combines ease of use and cost effectiveness is to use a key management service (KMS) such as IBM Cloud Hyper Protect Crypto Services (HPCS). HPCS provides access to a FIPS 140-2 Level 4 HSM that protects the customer master key and all other keys that are used to encrypt data at rest in IBM Cloud Object Storage, IBM Cloud Hyper Protect DBaaS, IBM Cloud Block Storage, and similar. Let’s go through some key terminologies that are used by the Hyper Protect Services. ### Envelope encryption IBM Key Protect and HPCS use [envelope encryption](https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-envelope-encryption) to protect data. Envelope encryption is a practice of encrypting data with a DEK and then wrapping the DEK with a root key that you can fully manage by using crypto services. In HPCS, root keys are also encrypted by the master key that is uploaded by your administrators during the key ceremony process. The difference is that in Key Protect, the root key wraps the DEK, whereas in HPCS, the master key protects the root key, which is used to wrap the DEK to provide an extra layer of security. It’s also a best practice to regularly rotate the keys that you use to encrypt. Root keys can be rotated manually or you can schedule the rotation (if you are the owner). To learn more about rotation, read the [Key Protect product documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-key-rotation). ![[Screen Shot 2022-02-16 at 12.59.24 AM.png]] ### IBM Key Protect and BYOK [Key Protect](https://www.ibm.com/cloud/key-protect) is a multitenant KMS that helps you to bring your keys to the cloud (BYOK) and manage them by using an IBM-controlled HSM. IBM provides operational assurance that it does not access the keys. Hence, the master key that you use to wrap the root keys is owned by IBM. ![[Screen Shot 2022-02-16 at 12.59.37 AM.png]] ### IBM Cloud Hyper Protect Crypto Services and KYOK KYOK with HPCS is a dedicated KMS, which allows tenants to own your key (KYOK), built on tenant-controlled FIPS 140-2 Level 4 HSMs (the highest available certification). HPCS is built on IBM LinuxONE technology. In this implementation, IBM cannot access the keys. The key owned by the tenant is created and uploaded during the key ceremony process. In this implementation, the master key is created, in part, by customer representatives to initialize the HSM, thus maintaining complete control over the master key. ### Key ceremony in IBM Cloud Hyper Protect Crypto Services The key ceremony is a process of loading your own master key to your service instance (cloud account). During the initialization process, the HPCS sets up signature keys for crypto unit administrators, which ensures that the master key parts are loaded into the HSM without interception. Each master key has at least two key parts and each key part can be own by a custodian. To load the master key to the service instance, master key custodians must load their key parts separately by using their own administrator signature keys. A signature key is composed of an asymmetric key pair, private and public. The private part is owned by the crypto unit administrator, while the public part is placed in a certificate that is used to define an administrator and never leaves the crypto unit. This design ensures that no one can get full access of the master key, even the crypto unit administrators. By using the IBM Cloud Trusted Key Entry (TKE) CLI plug-in with the IBM Cloud CLI, you can create crypto units, add signatures, load master key parts, and commit and activate them. ![[Screen Shot 2022-02-16 at 12.59.58 AM.png]] ### Securing your data in IBM Cloud Hyper Protect DBaaS [Hyper Protect DBaaS](https://cloud.ibm.com/docs/hyper-protect-dbaas-for-postgresql?topic=hyper-protect-dbaas-for-postgresql-data-security) is a public multitenant cloud DBaaS that implements security at all levels, such as workload isolation, data encryption (BYOK or KYOK), and identity and administration access control. Hyper Protect DBaaS for PostgreSQL uses the following methods to protect your data: - Built on IBM Secure Service Container technology - All Hyper Protect DBaaS for PostgreSQL connections use TLS/SSL encryption for data in transit. The current supported version of this encryption is TLS 1.2. - Built in data encryption and scales vertically for greater performance. - Integration with key management services that lead to higher data security: BYOK with Key Protect, and KYOK with HPCS. - All Hyper Protect DBaaS for PostgreSQL storage is provided on storage encrypted with LUKS using AES-256. The default keys are managed within the locked down environment within secure service containers. ### Conclusion In this blog post, you got to know about key concepts and terminologies that are used to secure your data and applications such as BYOK, KYOK, and envelope encryption. You also learned about different IBM Cloud services that can help you protect your applications and data. Next, get hands-on experience with integrating Hyper Protect Services to encrypt your application data by following the steps of my code pattern: [Secure a cloud-native application on IBM Cloud for Financial Services](https://developer.ibm.com/patterns/secure-a-cloud-native-application-on-ibm-cloud-for-financial-services/).