Understanding your responsibilities with using Key Protect

Learn about the management responsibilities and terms and conditions that you have when you use IBM® Key Protect for IBM Cloud®.

For a high-level view of the service types in IBM Cloud and the breakdown of responsibilities between the customer and IBM for each type, see Shared responsibilities for IBM Cloud offerings.

Review the following sections for the specific responsibilities for you and for IBM when you use IBM Key Protect. For the overall terms of use, see IBM Cloud Terms and Notices.

Incident and operations management

You and IBM share responsibilities for the set up and maintenance of your IBM Key Protect instance for your application workloads.

You are responsible for incident and operations management of your application data.

Table 1. Responsibilities for incident and operations
Task	IBM Responsibilities	Your Responsibilities
Availability	Provide high availability capabilities, such as IBM-owned infrastructure in multizone regions, to meet local access and low latency requirements for each supported region.	Use the list of available regions to plan for and create new instances of the service.
Monitoring	Provide integration with select third-party partnership technologies, such as IBM Cloud® Activity Tracker.	Use the provided tools to review instance logs and activities.
Incidents	Provide notifications for planned maintenance, security bulletins, or unplanned outages.	Set preferences to receive emails about platform notifications, and monitor the IBM Cloud status page for general announcements.

Change management

You and IBM share responsibilities for keeping IBM Key Protect service components at the latest version.

You are responsible for change management of your application data.

Table 2. Responsibilities for change management
Task	IBM Responsibilities	Your Responsibilities
Applications	Provide major, minor, and patch version updates for Key Protect interfaces.	Use the API, CLI, or console tools to apply the provided updates, including version updates, new features, and security patches.

Identity and access management

You and IBM share responsibilities for controlling access to your IBM Key Protect instances and resources.

You are responsible for identity and access management to your application data.

Table 3. Responsibilities for identity and access management
Task	IBM Responsibilities	Your Responsibilities
Applications	Provide the ability to restrict access to resources.	Depending on your needs, restrict access to resources and service functionality by using Cloud IAM access policies. For more information, see Managing user access.

Security and regulation compliance

IBM is responsible for the security and compliance of IBM Key Protect.

You are responsible for the security and compliance of your application data.

Table 4. Responsibilities for security and regulation compliance
Task	IBM Responsibilities	Your Responsibilities
Applications	Maintain controls that are commensurate to various industry compliance standards, such as SOC and ISO.	Set up and maintain security and regulation compliance for your apps and data. For example, you can enable extra security settings to meet your compliance needs by choosing how and when to import, wrap, rotate, rewrap, and delete keys.

Disaster recovery

IBM is responsible for the recovery of IBM Key Protect components in case of disaster.

You are responsible for the recovery of the workloads that run Key Protect and your application data.

Table 5. Responsibilities for disaster recovery
Task	IBM Responsibilities	Your Responsibilities
Applications	Continuously back up keys in the region that the service operates in, and automatically recover and restart service components after any disaster event.	None. IBM and Key Protect are fully responsible for managing disaster recovery.
Virtual Private Endpoints (VPE)	VPE does not support automatically switching to backup during failover at this time.	VPE settings, specifically the Internet Protocol (IP) address, need to be manually updated during disaster recovery procedures.
Private Endpoint (PE)	PE will not support allowed IP settings during disaster recovery at this time, but an announcement on this topic will be made soon.	PE settings, specifically the Internet Protocol (IP) address, need to be manually updated during disaster recovery procedures.