Data security and compliance
IBM® Key Protect for IBM Cloud® has data security strategies in place to meet your compliance needs and ensure that your data remains secure and protected in the cloud.
Secrets management
Secrets required for deployment are managed with automation using a HashiCorp Vault and are not stored in charts, GitHub, or deployment scripts.
Security readiness
Key Protect ensures security readiness by adhering to IBM best practices for systems, networking, and secure engineering.
To learn more about security controls across IBM Cloud, see How do I know that my data is safe?.
Data encryption
Key Protect uses IBM Cloud hardware security modules (HSMs) to generate provider-managed key material and perform envelope encryption operations. HSMs are tamper-resistant hardware devices that store and use cryptographic key material without exposing keys outside of a cryptographic boundary.
Access to Key Protect takes place over HTTPS and uses Transport Layer Security (TLS) to encrypt data in transit.
Note that only the following TLS 1.2 and TLS 1.3 ciphers are supported:
- TLS 1.2:
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-SHA384ECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHA384
- TLS 1.3:
TLS_AES_256_GCM_SHA384TLS_AES_128_GCM_SHA256TLS_CHACHA20_POLY1305_SHA256
If you attempt to use a cipher that is not on this list, you may experience connectivity issues. Update your client to use one of the supported ciphers. If you are using openssl, you can use the command openssl ciphers -v at the command line (or, for some installations of openssl, use the -s -v options) to show a verbose list of what ciphers your client supports.
Data deletion
When you delete a key, the service marks the key as deleted, and the key transitions to the Destroyed state. Keys in this state can no longer decrypt data that is associated with the key. Therefore, before you delete a key, review the data that is associated with the key and ensure that you no longer require access to it. Do not delete a key that is actively protecting data in your production environments.
If a key is deleted in error, it is possible to restore the key within 30 days of the key being deleted. After 30 days, the key can no longer be restored. For more information, check out Restoring keys.
Note that even if the key is not restored, your data remains in those services in its encrypted form. Metadata that is associated with a key, such as the key's transition history and name, is kept in the Key Protect database.
To help you determine what data is protected by a key, you can use Key Protect APIs to view associations between a key and your cloud resources.
Account cancelation and data deletion
Although instances that have non-deleted keys in them cannot be deleted, it is possible to close an IBM Cloud account without first deleting all Key Protect instances. If an account is closed and instances and keys belonging to it still exist, the instances and keys are permanently hard deleted.
For more information about closing an account, check out Closing an account.
Compliance readiness
Key Protect meets controls for global, industry, and regional compliance standards, including GDPR, HIPAA, and ISO 27001/27017/27018, and others.
For a complete listing of IBM Cloud compliance certifications, see Compliance on the IBM Cloud.
EU support
Key Protect has extra controls in place to protect your Key Protect resources in the European Union (EU).
If you use Key Protect resources in the Frankfurt, Germany region to process personal data for European citizens, you can enable the EU Supported setting for your IBM Cloud account. To find out more, see Enabling the EU Supported setting and Requesting support for resources in the European Union.
General Data Protection Regulation (GDPR)
The GDPR seeks to create a harmonized data protection law framework across the EU. The regulation aims to give citizens back the control of their personal data, and impose strict rules on any entity that hosts and processes that data.
IBM is committed to providing clients and IBM Business Partners with innovative data privacy, security, and governance solutions to assist them in their journey to GDPR readiness.
To ensure GDPR compliance for your Key Protect resources, enable the EU supported setting for your IBM Cloud account. You can learn more about how Key Protect processes and protects personal data by reviewing the following addendums.
HIPAA support
Key Protect does not process, store, transmit, or otherwise interface with personal health information (PHI). Therefore, the service can be integrated with any HIPAA offering without impact to its HIPAA readiness. As such, you can use Key Protect to generate and manage keys for HIPAA ready applications. Those keys are protected by the Key Protect trust anchor, which is backed by a hardware security module (HSM) that is tamper-resistant and FIPS-140-2 level 3 certified.
If you or your company is a covered entity as defined by HIPAA, you can enable the HIPAA Supported setting for your IBM Cloud account. To find out more, see Enabling the HIPAA Supported setting.
ISO 27001, 27017, 27018
Key Protect is ISO 27001, 27017, 27018 certified. You can view compliance certifications by visiting Compliance on the IBM Cloud.
Service Organization Controls (SOC)
Key Protect meets Service Organization Control (SOC) compliance for the following types:
- SOC 1 Type 2
- SOC 2 Type 1
- SOC 2 Type 2
- SOC 3
For information about requesting an IBM Cloud SOC report, see Compliance on the IBM Cloud.
PCI DSS
Key Protect meets controls for the Payment Card Industry (PCI) data security standards to protect cardholder data. For information about requesting an attestation of compliance, see Compliance on the IBM Cloud or contact an IBM representative.