Which data security service is best for me?

With IBM Cloud, you can choose from various secrets management and data protection offerings that help you to protect your sensitive data and centralize your secrets.

Use cases

The following table lists the different offerings that you can use with IBM Cloud to protect your data.

Secrets management and data protection scenarios
Scenario	What to use
You need to create and manage encryption keys that are backed by FIPS 140-2 Level 3 or FIPS 140-3 Level 4 hardware.	You can use Key Protect to generate and import encryption keys by either using a multi-tenant service with shared hardware (featuring FIPS 140-2 Level 3 certification), or dedicated hardware using hardware that has been submitted to NIST for FIPS 140-3 Level 4 certification.
As a DevOps team contributor, you need to create, lease, and manage API keys, credentials, database configurations, and other secrets for your services and applications.	With Secrets Manager, you can manage secrets of various types in a dedicated instance.
You need to generate, renew, and manage SSL/TLS certificates for your deployments.	You can also manage your SSL/TLS certificates and private keys in dedicated instance of Secrets Manager.

What are key features for each data protection service?

As you plan your data protection strategy, some differences between services to consider include the level of data isolation that your workload requires.

For a higher level of security and control, your business might benefit from the data isolation that a single-tenant offering provides, such as Secrets Manager or Hyper Protect Crypto Services. You might also decide that the reduced cost and scalability benefits of a multi-tenant service, such as Key Protect, are better suited to your needs. The following table lists key features for each service.

Key features for IBM Cloud data protection services
The table compares features across Secrets Manager, Certificate Manager, Key Protect, and Hyper Protect Crypto Services. The first column lists features. The first row features the names of the services in the table, followed by a row listing the types of secrets that are supported by each service. The third row uses checkmarks to indicate whether a service is multi-tenant. The fourth row uses checkmarks to indicate whether a service is single-tenant. The fifth row uses checkmarks to indicate whether a service is backed by a hardware security module (HSM). The sixth row uses checkmarks to indicate whether the service runs in a secure enclave. The seventh row uses checkmarks to indicate whether the service uses a client initialized and controlled HSM.
	Standard Key Protect	Secrets Manager	Dedicated Key Protect
Secret types	Symmetric encryption keys	Arbitrary secrets IAM credentials Key-value secrets SSL/TLS certificates User credentials	Symmetric encryption keys
Multi-tenant^[1]
Single-tenant^[2]
HSM backed^[3]
Runs in secure enclave^[4]
Client initialised and controlled HSM

Can these services work together?

Yes. For many use cases, it is important to use more than one service to completely sercure your data. For more information about the deployable architecture that covers security services, check out What is cloud security?

How do I get started?

Each service supports either a Lite plan or a free trial that you can use to try its service capabilities for free. Get started by creating an instance of a service from the IBM Cloud catalog.

A multi-tenant service uses a single instance of its software (and its underlying database and hardware) to serve multiple tenants. Learn more. ↩︎
A single-tenant service creates a dedicated instance of its software (and its underlying database and hardware) for each individual tenant. ↩︎
A service that is backed by a hardware security module (HSM) uses tamper-resistant, FIPS-validated physical hardware as its root of trust for cryptographic storage and processing of encryption keys. ↩︎
Mitigates internal as well as external attack vectors to gain unauthorised access to keys. ↩︎