Security and compliance
IBM Cloud® Hyper Protect Crypto Services has data security strategies in place to meet your security and compliance needs and ensure that your data remains protected in the cloud.
Security readiness
Hyper Protect Crypto Services ensures security readiness by adhering to IBM best practices for systems, networking, and secure engineering.
To learn more about security controls across IBM Cloud, see How do I know that my data is safe.
Data encryption
Hyper Protect Crypto Services offers a dedicated hardware security module (HSM)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service. to generate key material that you manage and perform envelope encryption operations. Hyper Protect Crypto Services also supports the management of your own HSM master keysAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key.. Built on FIPS 140-2 Level 4-certified HSMs, Hyper Protect Crypto Services offers the highest security level for cloud-based HSMs and stores cryptographic key material without exposing keys outside of a cryptographic boundary.
Access to the service takes place over HTTPS, and internal Hyper Protect Crypto Services communication uses the Transport Layer Security (TLS) 1.2 protocol to encrypt data in transit.
Data deletion
When you delete a key from Hyper Protect Crypto Services, the service marks the key as deleted, and the key moves to the Destroyed state. Keys in this state can no longer decrypt data that is associated with the key. Therefore, before you delete a key, review the data that is associated with the key and ensure that you no longer require access to it. Do not delete a key that is actively protecting data in your production environments.
Within 30 days after you delete a key, you can restore the key to reverse the deletion. For more information, see Restoring keys.
Note that even if the key is not restored, your data remains in those services in the encrypted form. Metadata that is associated with a key, such as the key's transition history and name, is kept in the Hyper Protect Crypto Services database.
To help you determine what data is protected by a key, you can use the key management service API to view associations between a key and your cloud resources.
Compliance readiness
Hyper Protect Crypto Services helps meet controls for global, industry, and regional compliance standards. The hardware security module (HSM) meets Common Criteria EAL 4 and is FIPS 140-Level 4 certified. The service is GDPR, HIPAA, and ISO certified.
For a complete listing of IBM Cloud compliance certifications, see Compliance on the IBM Cloud.
Common Criteria EAL4 certified
The Hardware Security Module (HSM) used by Hyper Protect Crypto Services is the IBM PCIe Cryptographic Coprocessor Version 3 (PCIeCC3) or Version 4 (PCIeCC4). PCIeCC3 is also referred to as the IBM 4768 crypto card or the Crypto Express 6S (CEX6S). PCIeCC4 is also referred to as the IBM 4769 crypto card or the Crypto Express 7S (CEX7S). Both CEX6S and CEX7S are Common Criteria EAL4 certified to meet the security requirements defined by the Common Criteria for Information Technology Security Evaluation.
Common Criteria is an international standard (ISO/IEC 15408) to assess the security of computer security products. Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product is complied with the standards and requirements defined.
FIPS 140-2 Level 4
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government computer security standard that is used to approve cryptographic modules.
FIPS 140-2 defines four levels of security, including FIPS 140-2 Level 1, 2, 3, and 4. FIPS 140-2 Level 4 is the highest level of security. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a high probability of being detected, resulting in the immediate zeroization of all plaintext critical security parameters (CSPs).
Hyper Protect Crypto Services uses the IBM 4768 or IBM 4769 crypto card, which is certified at FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. Hyper Protect Crypto Services is the only cloud HSM in the public cloud market that is built on an HSM designed to meet FIPS 140-2 Level 4 certification requirements. You can check the certificates at the following sites:
General Data Protection Regulation
The General Data Protection Regulation (GDPR) seeks to create a harmonized data protection law framework across the European Union and aims to give citizens back the control of their personal data. GDPR also imposes strict rules on enterprises that are hosting and processing data, anywhere in the world.
IBM is committed to providing you with innovative data privacy, security, and governance solutions to assist you in the journey to GDPR readiness.
To ensure GDPR compliance for your Hyper Protect Crypto Services resources, enable the EU supported setting for your IBM Cloud account. You can learn more about how Hyper Protect Crypto Services processes and protects personal data by reviewing the following addendums.
HIPAA support
Hyper Protect Crypto Services meets controls for the US Health Insurance Portability and Accountability Act (HIPAA) to ensure safeguarding of protected health information (PHI).
If you or your company is a covered entity as defined by HIPAA, you can enable the HIPAA Supported setting for your IBM Cloud account. To find out more, see Enabling the HIPAA Supported setting.
IBM Cloud for Financial Services
Hyper Protect Crypto Services is IBM Cloud for Financial Services certified. For information about requesting an IBM Cloud for Financial Services report, see IBM Cloud industry compliance programs.
IRAP support
Hyper Protect Crypto Services meets the requirements of the Information Security Registered Assessors Program (IRAP) to provide high-quality information and communications technology services to government in support of Australia’s security.
For more information, see IBM Cloud regional compliance programs.
ISO 27001, 27017, 27018
Hyper Protect Crypto Services is ISO 27001, 27017, 27018 certified. You can view compliance certifications by visiting IBM Cloud global compliance programs.
SOC 2 Type 1
Hyper Protect Crypto Services is SOC 2 Type 1 certified. For more information about requesting an IBM Cloud SOC 2 report, see IBM Cloud global compliance programs.