SlideShare ist ein Scribd-Unternehmen logo

Confidential Computing overview

Als PPTX, PDF herunterladen
Mark Argent
Mark Argent

Overview of Confidential Computing and IBM's portfolio of solutions

Technologie
1 von 13
Confidential Computing Comprehensive portfolio to protect sensitive data — May 2021 Mark Argent IBM
Confidential Computing from CIO’s POV Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 2 Business needs: – Meet regulatory compliance requirements and reduce costs of doing so – Complete authority over sensitive data and associated workloads, especially hybrid apps – Move to cloud, but manage sensitive and confidential data – Ensure data privacy including for AI/ML and sensitive data Complex regulations and data privacy Increasing cybersecurity and data breaches
Technical assurance Operational assurance “Cloud provider will not access your data” Regulated clients require technical assurance. Operational assurance is not sufficient. Confidential Computing, Analyst Briefing / © 2021 IBM Corporation 3 “Cloud provider cannot access your data” Data Service Objects Objects Cloud operator Customer Control Visibility Data Service Objects Objects Cloud operator Customer
Confidential Computing https://www.ibm.com/cloud/learn/confidential-computing Data in Use User interface (e.g. website) Application user Data service (e.g. database) Application (e.g. cloud service) Data at Rest (e.g. on a filesystem) Key Management (KMS) Data at Rest Data in Transit Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 4 Confidential Computing is about ‘Data in Use’ Industry view
Confidential Computing Consortium Definition https://confidentialcomputing.io/ Confidential Computing, Analyst Briefing/ November, 2020 / © 2020 IBM Corporation 5 Confidential Computing add data in use protection to data at rest and in transit protections, by performing computation in a hardware-basedTrusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use, increasing the security assurances for organizations that manage sensitive and regulated data. Why is Hardware Necessary for Confidential Computing Security is only as strong as the layers below it, since security in any layer of the compute stack could potentially be circumvented by a breach at an underlying layer. This drives the need for security solutions at the lowest layers possible, down to the silicon components of the hardware.
The Scope of Confidential Computing (from the consortium) Confidential Computing, Analyst Briefing / November, 2020 / © 2020 IBM Corporation 6 • Software attacks. Software attacks include attacks on the operating system, hypervisor, BIOS, other software and stacks. • Protocol attacks. Protocol attacks include side attacks on protocols associated with attestation as well as workload and data transport. • Cryptographic attacks. Cryptography is an evolving discipline, with vulnerabilities being found over time in ciphers and algorithms, including mathematical breakthroughs, availability of computing power, and new computing approaches such as quantum computing. In some cases, defense-in-depth may be appropriate, for instance employing quantum- resistant cryptography within TEE instances whose implementation is not itself quantum-resistant. • Basic physical attacks. considered in-scope: cold DRAM extraction, bus and cache monitoring and plugging of attack devices into an existing port, e.g., PCIe, Firewire, USB-C.
Leveraging secure enclaves in IBM z15 Leveraging secure enclaves in Intel SGX Purpose built offerings from IBM spanning compute, containers, databases and crypto Confidential Computing, Analyst Briefing / © 2021 IBM Corporation 7 IBM Cloud Hyper Protect Crypto Services Data encryption & TLS offloading with “Keep Your Own Key” IBM Cloud Hyper Protect Virtual Servers Confidential servers for workloads IBM Cloud Hyper Protect DBaaS Confidential databases IBM Cloud Data Shield Confidential containers for microservices
Data in Use User interface (e.g. website) Application user Data service (e.g. database) Application (e.g. cloud service) Data at Rest (e.g. on a filesystem) Hyper Protect Crypto Service Keep Your Own Key (KYOK) Data at Rest Data in Transit Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 8 IBM Cloud Hyper Protect Crypto Services IBM Cloud Hyper Protect Virtual Servers IBM Cloud Hyper Protect DBaaS IBM Cloud Data Shield Confidential compute enables total privacy assurance IBM view
Cloud services: IBM perspective IBM Cloud Azure AWS GCP Confidential Compute Services  Data Shield servers Hyper Protect Virtual Server    Confidential Database Services  Hyper Protect PostgreSQL Hyper Protect Mongo DB EE — X X Confidential Crypto/ Key Management Services (KYOK)  Hyper Protect Crypto Services X X X Confidential Containers  Data Shield IKS/ROKS X X X Secure Build / DevSecOps for Confidential Computing  Hyper Protect Virtual Server With Bring Your Own Image  X X Client References   X X Supported — Alternative approach X Not supported Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 9 *Always encrypt
Confidential Computing - TEE On Premise Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 10 Intel SGX &TPM AMD EPYC IBM VMWare https://confidentialcomputing.io/white-papers/ Power 10 EPC Hyperledger Thales+ Microsoft 365 Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne
On Premise Confidential Computing: Options for protecting application data in memory Can the application be containerized ? vSphere 7 Pods IBM Secure Execution for Linux IBM LinuxONE IBM z15 Can the protected enclave be limited to 128MB ? Intel Software Guard Extensions (SGX) Application isolation Yes VM isolation VM isolation Container isolation Supports secrets built into enclave; Support for memory overcommit No Yes No Yes IBM Hyper Protect Virtual Servers (HPVS) IBM LinuxONE IBM z15 Container isolation Established toolchain (inc. IBM HSM - KYOK); Support for memory overcommit Yes No * Majority of modern languages/hosting deployable without change • Java ‘out of the box’ provided using right JDK • NodeJS / Javascript • ISV Software is usually recompiled already. • Many open-source software already available. • CLR for .Net applications ( targeted Q4 ‘21 ) Willing to change the application design/code to use protected enclave ? Can the application be deployed on s390x architecture ? * Can the application be containerized ? No vSphere 7 Linux KVM Limited to 92MB memory (vSphere vSGX); Vendor specific implementation; Only specified memory is protected AMD Secure Encrypted Virtualization - Encrypted State (SEV-ES) AMD Secure Encrypted Virtualization - Encrypted State (SEV-ES) s390x x86 Can’t overcommit memory allocated to VMs; Vulnerabilities in all but latest processors Can’t overcommit memory allocated to Containers; Vulnerabilities in all but latest processors Yes No
Hybrid Cloud : On Premise and Public Cloud Services Confidential Computing: Options for protecting application data in memory IBM Secure Execution for Linux IBM LinuxONE IBM z15 VM isolation Supports secrets built into enclave; Support for memory overcommit IBM Hyper Protect Virtual Servers (HPVS) IBM LinuxONE IBM z15 Container isolation Established toolchain (inc. IBM HSM - KYOK); Support for memory overcommit Able to leverage services from the public cloud to combine with On Premise implementation ? IBM Cloud Data Shield IBM Cloud Hyper Protect DBaaS IBM Cloud Hyper Protect Crypto Services Public cloud DBaaS Public cloud Crypto service Virtual Servers Containers IBM Cloud Hyper Protect Virtual Servers Able to Develop and Test on the public cloud ? s390x - On Premise IBM Cloud services LinuxONE virtual servers Only service in the industry that’s built on FIPS 140-2 Level 4-certified hardware; Keep Your Own Key (KYOK) MongoDB PostgreSQL FIPS 140.2 HSM Run containerized applications in a secure enclave on Kubernetes; Secure enclaves using Intel SGX and Fortanix Fully managed database on LinuxONE; Control encryption keys with Crypto Services On Premise Confidential Computing
Confidential Computing © 2021 IBM Corporation 13

Empfohlen

Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxCarlo Sacchi
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesKarthikeyan Anbarasan (AK)
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Cloud Based Disaster Recovery (DRaaS)
Cloud Based Disaster Recovery (DRaaS)Cloud Based Disaster Recovery (DRaaS)
Cloud Based Disaster Recovery (DRaaS)PT Datacomm Diangraha
 
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAzureEzy1
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 

Empfohlen

Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxCarlo Sacchi
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesKarthikeyan Anbarasan (AK)
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Cloud Based Disaster Recovery (DRaaS)
Cloud Based Disaster Recovery (DRaaS)Cloud Based Disaster Recovery (DRaaS)
Cloud Based Disaster Recovery (DRaaS)PT Datacomm Diangraha
 
AZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAZ-204: Monitor, Troubleshoot & Optimize Azure Solutions
AZ-204: Monitor, Troubleshoot & Optimize Azure SolutionsAzureEzy1
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional accessTad Yoke
 
Prometheus on NKS
Prometheus on NKSPrometheus on NKS
Prometheus on NKSJo Hoon
 
MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바NeoClova
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVMPradeep Kumar
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component C/D/H Technology Consultants
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsStephanie Locke
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesClint Edmonson
 
Azure migration
Azure migrationAzure migration
Azure migrationArnon Rotem-Gal-Oz
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Microsoft SQL Server - SQL Server Migrations Presentation
Microsoft SQL Server - SQL Server Migrations PresentationMicrosoft SQL Server - SQL Server Migrations Presentation
Microsoft SQL Server - SQL Server Migrations PresentationMicrosoft Private Cloud
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Ansible
AnsibleAnsible
AnsibleRaul Leite
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) ExplainedMaciej Lasyk
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
 
Dok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDoKC
 

Weitere ähnliche Inhalte

Was ist angesagt?

Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional accessTad Yoke
 
Prometheus on NKS
Prometheus on NKSPrometheus on NKS
Prometheus on NKSJo Hoon
 
MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바NeoClova
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVMPradeep Kumar
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentationSuresh Kumar
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component C/D/H Technology Consultants
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsStephanie Locke
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesClint Edmonson
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Microsoft SQL Server - SQL Server Migrations Presentation
Microsoft SQL Server - SQL Server Migrations PresentationMicrosoft SQL Server - SQL Server Migrations Presentation
Microsoft SQL Server - SQL Server Migrations PresentationMicrosoft Private Cloud
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) ExplainedMaciej Lasyk
 

Was ist angesagt? (20)

Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional access
 
Prometheus on NKS
Prometheus on NKSPrometheus on NKS
Prometheus on NKS
 
MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바MariaDB 마이그레이션 - 네오클로바
MariaDB 마이그레이션 - 네오클로바
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVM
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
 
The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data Analytics
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
 
Azure migration
Azure migrationAzure migration
Azure migration
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
Microsoft SQL Server - SQL Server Migrations Presentation
Microsoft SQL Server - SQL Server Migrations PresentationMicrosoft SQL Server - SQL Server Migrations Presentation
Microsoft SQL Server - SQL Server Migrations Presentation
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Ansible
AnsibleAnsible
Ansible
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) Explained
 

Ähnlich wie Confidential Computing overview

Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
 
Dok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDoKC
 
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM France Lab
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?Priyanka Aash
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17LennartF
 
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive KubernetesIBM France Lab
 
Accelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to CloudAccelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to CloudRebekah Rodriguez
 
Z111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910aZ111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910aTony Pearson
 
IBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle Albertville
IBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle AlbertvilleIBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle Albertville
IBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle AlbertvilleIBM Switzerland
 
Skip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsSkip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsHaidee McMahon
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Tony Pearson
 
Z110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909cZ110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909cTony Pearson
 
Developing and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud PrivateDeveloping and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud PrivateShikha Srivastava
 
08 sdn system intelligence short public beijing sdn conference - 130828
08 sdn system intelligence short public beijing sdn conference - 13082808 sdn system intelligence short public beijing sdn conference - 130828
08 sdn system intelligence short public beijing sdn conference - 130828Mason Mei
 
L105704 ibm-cloud-private-z-cairo-v1902a
L105704 ibm-cloud-private-z-cairo-v1902aL105704 ibm-cloud-private-z-cairo-v1902a
L105704 ibm-cloud-private-z-cairo-v1902aTony Pearson
 
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollo
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco MolloIBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollo
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollojoemolls
 
Cloud for the Military - Projects, Promise
Cloud for the Military - Projects, PromiseCloud for the Military - Projects, Promise
Cloud for the Military - Projects, PromiseJohn Palfreyman
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsJay Bryant
 

Ähnlich wie Confidential Computing overview (20)

Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
 
Dok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environmentDok Talks #140 - Data protection of stateful environment
Dok Talks #140 - Data protection of stateful environment
 
Sklm webinar
Sklm webinarSklm webinar
Sklm webinar
 
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud PrivateIBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
IBM Cloud Paris Meetup - 20180628 - IBM Cloud Private
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?
 
Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17Confidential compute with hyperledger fabric .v17
Confidential compute with hyperledger fabric .v17
 
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes
 
Accelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to CloudAccelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to Cloud
 
Z111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910aZ111806 strengthen-security-sydney-v1910a
Z111806 strengthen-security-sydney-v1910a
 
IBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle Albertville
IBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle AlbertvilleIBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle Albertville
IBM Technology Day 2013 IBM Cloud Bethmann Devezeaud Salle Albertville
 
Skip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsSkip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized apps
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
 
Z110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909cZ110932 strengthen-security-jburg-v1909c
Z110932 strengthen-security-jburg-v1909c
 
Developing and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud PrivateDeveloping and Deploying Microservices to IBM Cloud Private
Developing and Deploying Microservices to IBM Cloud Private
 
08 sdn system intelligence short public beijing sdn conference - 130828
08 sdn system intelligence short public beijing sdn conference - 13082808 sdn system intelligence short public beijing sdn conference - 130828
08 sdn system intelligence short public beijing sdn conference - 130828
 
L105704 ibm-cloud-private-z-cairo-v1902a
L105704 ibm-cloud-private-z-cairo-v1902aL105704 ibm-cloud-private-z-cairo-v1902a
L105704 ibm-cloud-private-z-cairo-v1902a
 
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollo
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco MolloIBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollo
IBM Cloud Infrastructure as a Service (IaaS)- Feb 2019 by Gianfranco Mollo
 
Cloud for the Military - Projects, Promise
Cloud for the Military - Projects, PromiseCloud for the Military - Projects, Promise
Cloud for the Military - Projects, Promise
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
 

Kürzlich hochgeladen

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Kürzlich hochgeladen (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Confidential Computing overview

  • 1. Confidential Computing Comprehensive portfolio to protect sensitive data — May 2021 Mark Argent IBM
  • 2. Confidential Computing from CIO’s POV Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 2 Business needs: – Meet regulatory compliance requirements and reduce costs of doing so – Complete authority over sensitive data and associated workloads, especially hybrid apps – Move to cloud, but manage sensitive and confidential data – Ensure data privacy including for AI/ML and sensitive data Complex regulations and data privacy Increasing cybersecurity and data breaches
  • 3. Technical assurance Operational assurance “Cloud provider will not access your data” Regulated clients require technical assurance. Operational assurance is not sufficient. Confidential Computing, Analyst Briefing / © 2021 IBM Corporation 3 “Cloud provider cannot access your data” Data Service Objects Objects Cloud operator Customer Control Visibility Data Service Objects Objects Cloud operator Customer
  • 4. Confidential Computing https://www.ibm.com/cloud/learn/confidential-computing Data in Use User interface (e.g. website) Application user Data service (e.g. database) Application (e.g. cloud service) Data at Rest (e.g. on a filesystem) Key Management (KMS) Data at Rest Data in Transit Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 4 Confidential Computing is about ‘Data in Use’ Industry view
  • 5. Confidential Computing Consortium Definition https://confidentialcomputing.io/ Confidential Computing, Analyst Briefing/ November, 2020 / © 2020 IBM Corporation 5 Confidential Computing add data in use protection to data at rest and in transit protections, by performing computation in a hardware-basedTrusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use, increasing the security assurances for organizations that manage sensitive and regulated data. Why is Hardware Necessary for Confidential Computing Security is only as strong as the layers below it, since security in any layer of the compute stack could potentially be circumvented by a breach at an underlying layer. This drives the need for security solutions at the lowest layers possible, down to the silicon components of the hardware.
  • 6. The Scope of Confidential Computing (from the consortium) Confidential Computing, Analyst Briefing / November, 2020 / © 2020 IBM Corporation 6 • Software attacks. Software attacks include attacks on the operating system, hypervisor, BIOS, other software and stacks. • Protocol attacks. Protocol attacks include side attacks on protocols associated with attestation as well as workload and data transport. • Cryptographic attacks. Cryptography is an evolving discipline, with vulnerabilities being found over time in ciphers and algorithms, including mathematical breakthroughs, availability of computing power, and new computing approaches such as quantum computing. In some cases, defense-in-depth may be appropriate, for instance employing quantum- resistant cryptography within TEE instances whose implementation is not itself quantum-resistant. • Basic physical attacks. considered in-scope: cold DRAM extraction, bus and cache monitoring and plugging of attack devices into an existing port, e.g., PCIe, Firewire, USB-C.
  • 7. Leveraging secure enclaves in IBM z15 Leveraging secure enclaves in Intel SGX Purpose built offerings from IBM spanning compute, containers, databases and crypto Confidential Computing, Analyst Briefing / © 2021 IBM Corporation 7 IBM Cloud Hyper Protect Crypto Services Data encryption & TLS offloading with “Keep Your Own Key” IBM Cloud Hyper Protect Virtual Servers Confidential servers for workloads IBM Cloud Hyper Protect DBaaS Confidential databases IBM Cloud Data Shield Confidential containers for microservices
  • 8. Data in Use User interface (e.g. website) Application user Data service (e.g. database) Application (e.g. cloud service) Data at Rest (e.g. on a filesystem) Hyper Protect Crypto Service Keep Your Own Key (KYOK) Data at Rest Data in Transit Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 8 IBM Cloud Hyper Protect Crypto Services IBM Cloud Hyper Protect Virtual Servers IBM Cloud Hyper Protect DBaaS IBM Cloud Data Shield Confidential compute enables total privacy assurance IBM view
  • 9. Cloud services: IBM perspective IBM Cloud Azure AWS GCP Confidential Compute Services  Data Shield servers Hyper Protect Virtual Server    Confidential Database Services  Hyper Protect PostgreSQL Hyper Protect Mongo DB EE — X X Confidential Crypto/ Key Management Services (KYOK)  Hyper Protect Crypto Services X X X Confidential Containers  Data Shield IKS/ROKS X X X Secure Build / DevSecOps for Confidential Computing  Hyper Protect Virtual Server With Bring Your Own Image  X X Client References   X X Supported — Alternative approach X Not supported Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 9 *Always encrypt
  • 10. Confidential Computing - TEE On Premise Confidential Computing, Analyst Briefing/ © 2021 IBM Corporation 10 Intel SGX &TPM AMD EPYC IBM VMWare https://confidentialcomputing.io/white-papers/ Power 10 EPC Hyperledger Thales+ Microsoft 365 Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne Z / LinuxOne
  • 11. On Premise Confidential Computing: Options for protecting application data in memory Can the application be containerized ? vSphere 7 Pods IBM Secure Execution for Linux IBM LinuxONE IBM z15 Can the protected enclave be limited to 128MB ? Intel Software Guard Extensions (SGX) Application isolation Yes VM isolation VM isolation Container isolation Supports secrets built into enclave; Support for memory overcommit No Yes No Yes IBM Hyper Protect Virtual Servers (HPVS) IBM LinuxONE IBM z15 Container isolation Established toolchain (inc. IBM HSM - KYOK); Support for memory overcommit Yes No * Majority of modern languages/hosting deployable without change • Java ‘out of the box’ provided using right JDK • NodeJS / Javascript • ISV Software is usually recompiled already. • Many open-source software already available. • CLR for .Net applications ( targeted Q4 ‘21 ) Willing to change the application design/code to use protected enclave ? Can the application be deployed on s390x architecture ? * Can the application be containerized ? No vSphere 7 Linux KVM Limited to 92MB memory (vSphere vSGX); Vendor specific implementation; Only specified memory is protected AMD Secure Encrypted Virtualization - Encrypted State (SEV-ES) AMD Secure Encrypted Virtualization - Encrypted State (SEV-ES) s390x x86 Can’t overcommit memory allocated to VMs; Vulnerabilities in all but latest processors Can’t overcommit memory allocated to Containers; Vulnerabilities in all but latest processors Yes No
  • 12. Hybrid Cloud : On Premise and Public Cloud Services Confidential Computing: Options for protecting application data in memory IBM Secure Execution for Linux IBM LinuxONE IBM z15 VM isolation Supports secrets built into enclave; Support for memory overcommit IBM Hyper Protect Virtual Servers (HPVS) IBM LinuxONE IBM z15 Container isolation Established toolchain (inc. IBM HSM - KYOK); Support for memory overcommit Able to leverage services from the public cloud to combine with On Premise implementation ? IBM Cloud Data Shield IBM Cloud Hyper Protect DBaaS IBM Cloud Hyper Protect Crypto Services Public cloud DBaaS Public cloud Crypto service Virtual Servers Containers IBM Cloud Hyper Protect Virtual Servers Able to Develop and Test on the public cloud ? s390x - On Premise IBM Cloud services LinuxONE virtual servers Only service in the industry that’s built on FIPS 140-2 Level 4-certified hardware; Keep Your Own Key (KYOK) MongoDB PostgreSQL FIPS 140.2 HSM Run containerized applications in a secure enclave on Kubernetes; Secure enclaves using Intel SGX and Fortanix Fully managed database on LinuxONE; Control encryption keys with Crypto Services On Premise Confidential Computing
  • 13. Confidential Computing © 2021 IBM Corporation 13

Hinweis der Redaktion

  1. Use cases from IBM CIO Office perspective: Risk analysis and business case approach (expected cost of a breach as costs are shifting meaning more breaches and more expensive breaches, vs. expected cost of security) IT use cases where there is particular relevance Increasing scope of encryption when workloads are migrated to private cloud Hybrid workloads where sensitive data moves across cloud and on-prem Support increased security for region-specific data-sensitive workloads in the cloud AI and ML use cases; and data in a Z environment
  2. The next frontier of data protection: When we talk about end to end data protection, we are talking about the three pillars of data security. Data at rest: Files stored on servers, records in databases, etc. Protecting data at rest means using methods such as encryption, anti virus, and firewalls so a malicious actor can’t access information inactive data being stored on a device or network.  Data in transit: Information as it moves between servers and applications such as emails and instant messaging. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving the data via encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) transactions in and out of a server. There are technologies that exist today on the LinuxONE III machine that protect these two states of data and code such as Pervasive Encryption for general LinuxONE workloads, hardware-accelerated technologies and Hyper Protect services. Additional (CPACF coprocessor - to perform the encryption and decryption, Crypto Express Card – to store and present the master key used to encrypt and decrypt the data) However, what is lacking today is protecting the third pillar of data security: Data in use. Data in use: Data in use is data that is being processed by a running application or being accessed by a user. Ex. various applications such as Banking Software, Java Applications, Databases that are all running and may have open sensitive files.  Confidential computing: So, how do we protect data while it is in use? Tech companies are adopting a new security model that they’re calling confidential computing that uses hardware-based techniques (emphasize) to protect data in use. The key is controlling access to the data as tightly as possible and to provide a way to securely process unencrypted data. Keep in mind, the protection of these data states are complementary and do not supersede or replace the other existing protections. So to recap - today, data is often protected at rest and in transit, but not while in use by applications. And, in order to implement technical assurance, end to end protection must be achieved. As a result, organizations with applications that handle sensitive data such as financial transactions, or health information are often unable to take advantage of the benefits of cloud and multi-party computing.
  3. The IBM Secure Service Container architecture exploits the Crypto Express6S HSMs so that institutions can run Docker containerized applications and micro-services in an industry unique, FIPS 197 compliant, trusted, cryptographically isolated execution environment with up to 16TB of real memory available.
  4. The next frontier of data protection: When we talk about end to end data protection, we are talking about the three pillars of data security. Data at rest: Files stored on servers, records in databases, etc. Protecting data at rest means using methods such as encryption, anti virus, and firewalls so a malicious actor can’t access information inactive data being stored on a device or network.  Data in transit: Information as it moves between servers and applications such as emails and instant messaging. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving the data via encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) transactions in and out of a server. There are technologies that exist today on the LinuxONE III machine that protect these two states of data and code such as Pervasive Encryption for general LinuxONE workloads, hardware-accelerated technologies and Hyper Protect services. Additional (CPACF coprocessor - to perform the encryption and decryption, Crypto Express Card – to store and present the master key used to encrypt and decrypt the data) However, what is lacking today is protecting the third pillar of data security: Data in use. Data in use: Data in use is data that is being processed by a running application or being accessed by a user. Ex. various applications such as Banking Software, Java Applications, Databases that are all running and may have open sensitive files.  Confidential computing: So, how do we protect data while it is in use? Tech companies are adopting a new security model that they’re calling confidential computing that uses hardware-based techniques (emphasize) to protect data in use. The key is controlling access to the data as tightly as possible and to provide a way to securely process unencrypted data. Keep in mind, the protection of these data states are complementary and do not supersede or replace the other existing protections. So to recap - today, data is often protected at rest and in transit, but not while in use by applications. And, in order to implement technical assurance, end to end protection must be achieved. As a result, organizations with applications that handle sensitive data such as financial transactions, or health information are often unable to take advantage of the benefits of cloud and multi-party computing.
  5. GCP plans to support: Ubuntu v18.04, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2,