IBM Cloud Docs
Protecting sensitive information in your Watson service

Protecting sensitive information in your Watson service

IBM Cloud

You can add a higher level of encryption protection and control to your data at rest (when it is stored) and data in motion (when it is transported) by enabling integration with IBM® Key Protect for IBM Cloud®.

The data that you store in IBM Cloud is encrypted at rest by using a randomly generated key. If you need to control the encryption keys, you can integrate Key Protect. This process is commonly referred to as Bring your own keys (BYOK). With Key Protect you can create, import, and manage encryption keys. You can assign access policies to the keys, assign users or service IDs to the keys, or give the key access only to a specific Watson service. The first 20 keys are free.

Data encryption of Watson services requires a new Premium plan instance. You cannot encrypt an existing service instance or instances not in the Premium plan. Not all Watson services support Premium plans. For more information about Premium plans, contact a Watson representative

About customer-managed encryption

Watson uses envelope encryptionThe process of encrypting data with a data encryption key and then encrypting the key with a root key that can be fully managed. to implement customer-managed keys. Envelope encryption describes encrypting one encryption key with another encryption key. The key used to encrypt the actual data is known as a data encryption key (DEK)A cryptographic key used to encrypt data that is stored in an application.. The DEK itself is never stored but is wrapped by a second key that is known as the key encryption key (KEK) to create a wrapped DEK. To decrypt data, the wrapped DEK is unwrapped to get the DEK. This process is possible only by accessing the KEK, which in this case is your root key that is stored in Key Protect.

Key Protect keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service..

Enabling customer-managed keys with Watson

Some Watson services have additional details about how to work with Key Protect. For more information, see the docs for the service.

Integrating Key Protect with Watson Premium services involves these steps in the IBM Cloud console.

  1. Create an instance of Key Protect.
  2. Add a root key to the Key Protect instance.
  3. Grant Key Protect access to all instances of your Watson service.
  4. Encrypt the Watson service data

Step 1. Create the Key Protect instance

Create an instance of Key Protect to hold your root keys.

  1. Go to the Key Protect page in the IBM Cloud catalog Security and Identity category.
  2. Select a region. Make sure to create the instance in the same location as the Watson services you want to encrypt.
  3. Name the service and click Create.

Step 2. Add a key

You use Key Protect to generate a key or import your own key.

Create a root key

When you use Key Protect to create a key, the service generates cryptographic key material that is rooted in cloud-based HSMs.

After you create an instance of the service, add a root key.

  1. If you're not already on the details page, click the name of the Key Protect instance in your resource list.
  2. Add a Key Protect root keyA symmetric wrapping key that is used for encrypting and decrypting other keys that are stored in a data service.:
    1. Click Manage from the left navigation pane of the service details and click Add key.
    2. Select Create a key and the Root key type.
    3. Give the key a name that you can recognize and click Create key. Make sure that the key name does not contain personal information, such as your name or location.

Import a key

If you need to generate keys with your own solution, you can use Key Protect to secure the keys.

After you create an instance of the service, add a root key.

  1. Click the name of the Key Protect instance in your resource list.
  2. Import a root key:

    1. Click Manage from the left navigation pane of the service details and click Add key.

    2. Select Import your own key the Root key type.

    3. In Key material, specify the base64 encoded key material, such as an existing key-wrapping key.

      • The key must be 128, 192, or 256 bits.
      • The bytes of data, for example 32 bytes for 256 bits, must be encoded by using base64 encoding.

    4. Give the key a name that you can recognize and click Import key. Make sure that the key name does not contain personal information, such as your name or location.

Step 3. Grant service access to Key Protect

After you add a root key to Key Protect, you use Cloud Identity and Access Management (IAM) to authorize access between the Watson service and Key Protect.

You must be the account owner or administrator on the Key Protect service instance and at least the viewer role on all instances of the Watson services.

  1. Go to the IAM Authorizations page. (From the IBM Cloud console menu bar, select Manage > Access IAM, and then click Authorizations.)

  2. Click Create.

  3. Select the Watson service as the Source service. Leave All resources selected to scope the access.

  4. Select Key Protect as the Target service.

  5. Select Resources based on selected attributes, and then select Instance ID for the target service attribute. One of the following criteria must be true to authorize:

    • The IAM Policy authorizes a resource group that contains the Key Protect instance to target all instances of the dependent service.
    • The IAM Policy authorizes a specific instance of Key Protect to target all instances of the dependent service.
    • The IAM Policy authorizes a specific instance of Key Protect to target a resource group that the new instance of the dependent service would be created in.
    • The IAM Policy authorizes a resource group that contains the Key Protect instance to target a resource group that the new instance of the dependent service would be created in.

    Select the Key Protect service instance that you created earlier.

  6. Authorize dependent services by selecting Enable authorization to be delegated. Delegation allows the Key Protect instance to propagate its authorizations to this service.

  7. Make sure that the Reader role is enabled. Reader permissions allow the Watson service to see the root keys in the Key Protect instance.

  8. Click Authorize and confirm delegated authorization.

Step 4. Encrypt the Watson service data

After you grant the Watson service the authorization to use your keys, you create another instance on your Premium plan and supply the key name or CRN. The service uses your encryption key to encrypt your data.

You must have the administrator or editor role on the Watson service.

  1. Go to the AI / Machine Learning category page.

  2. Select the Watson service that you authorized in Step 3. Grant service access

  3. Select a region. Make sure to create the instance in the same location as the Key Protect service that you created in Step 1.

  4. Select the Premium plan. This feature is supported on the Premium plan only.

  5. Encrypt the service data with Key Protect:

    1. Select Yes to "Encrypt service with Key Protect."
    2. Select the Key Protect instance that you authorized earlier.
    3. Select the root key that you authorized earlier.

    If you see a drop-down menu flash and disappear, check that you have correctly followed sub-step 5 of Step 3. Grant service access

  6. Click Create.

The data that is associated with this Watson service instance is now encrypted.

Working with customer-managed keys

After you enable a customer-managed key, the service operates normally, and you can manage access to the data with Key Protect.

Temporarily prevent access to your data

To temporarily prevent access, remove all authorizations between the Watson service and Key Protect:

  • Remove the authorization that you created in Step 3 from the IAM Authorizations page.

  • Remove all other authorizations between other services connected with the Watson service and Key Protect.

    1. Find the Cloud Resource Name identifier (CRN) for the Watson service that you want to remove access to. You find the CRN by clicking the service instance row in your Resource list. The CRN is displayed in the details pane.
    2. Back on the Authorizations page, search for that CRN in the list.
    3. Remove every authorization with the CRN of the Watson service as the source and Key Protect as the target.

    These other authorizations might exist because the Watson service can create delegated policies from the authorization that you created.

The Watson instance can no longer access the data because no authorizations exist to access the key. For more information, search for Removing an authorization in "Using authorizations to grant access between services".

Restore temporary access

To restore access after you temporarily remove it, follow these steps:

  1. Re-create the authorization between your Watson service and Key Protect instance as shown in Step 3. Grant service access.
  2. Tell your IBM Client Success Manager (CSM) that you want to restore access through Key Protect.

After you re-create the authorization and your CSM confirms Watson that any delegated authorizations are reconnected, the Watson instance starts accepting connections again.

Permanently prevent access to your data

To delete your data securely, delete both the encrypted Watson service instance and the Key Protect key.

When you delete a data encryption key, it is not recoverable and you cannot decrypt the key. You prevent further access to the data, but you also cannot recover the data.

For more information about deleting keys, see Deleting keys in the Key Protect docs.

Rotating keys

Key rotation is an important part of mitigating the risk of a data breach. Periodically changing keys reduces the potential data loss if the key is lost or compromised. For more information, see Setting a rotation policy in the Key Protect docs.

Identify which key is encrypting your service instance

To see which Key Protect instance is used to encrypt the data, use the link in the service details.

  1. Go to your resource list.
  2. Click the name of the Watson service instance.
  3. Click the Manage tab on the left pane.
  4. Find "Encrypted with a Key Protect root key". Click View KeyProtect Instance to see details of the keys in that Key Protect instance.

Next steps