IBM offers quantum-safe cryptography support for key management and app transactions in the cloud

IBM announced a series of cloud services and technologies designed to help clients maintain the highest available level of cryptographic key encryption protection to help protect existing data in the cloud and prepare for future threats that could evolve with advances in quantum computing.

IBM quantum-safe cryptography support

Pioneered by IBM Research scientists, the company is now offering quantum-safe cryptography support for key management and application transactions in IBM Cloud, making it the industry’s most holistic quantum-safe cryptography approach to securing data available today.

The new capabilities include:

  • Quantum safe cryptography support: Through the use of open standards and open source technology, this service enhances the standards used to transmit data between enterprise and Cloud, helping to secure data by using a quantum-safe algorithm.
  • Extended IBM Cloud Hyper Protect Crypto Services: New capabilities are available to enhance privacy of data in cloud applications, where data sent over the network to cloud applications and sensitive data elements like credit card numbers, are stored in a database that can be encrypted at application-level – supported by the industry’s highest level of cryptographic key encryption protection with ‘Keep Your Own Key’ (KYOK) capability.

“As our reliance on data grows in the era of hybrid cloud and quantum computing capabilities advance, the need for data privacy is becoming even more critical. IBM now offers the most holistic quantum-safe approach to securing data available today and to help enterprises protect existing data and help protect against future threats,” said Hillery Hunter, Vice President and Chief Technology Officer, IBM Cloud.

“Security and compliance remain front and center for IBM Cloud as we continue to invest in confidential computing and our leading encryption capabilities to help enterprises of all kinds – especially those in highly regulated industries – keep data secured.”

Preparing for future threats with quantum-safe cryptography support

While quantum computing aims to solve complex problems even the world’s most powerful supercomputers cannot solve, future fault-tolerant quantum computers could pose potential risks, such as the ability to quickly break encryption algorithms and access sensitive data.

To mitigate these risks IBM has developed a clear strategic agenda to help protect the long term security of our platforms and services. This agenda includes the research, development and standardization of core quantum-safe cryptography algorithms as open source tools such as CRYSTALS and OpenQuantumSafe.

It also includes the governance, tools and technology to support our clients as they start on the same journey to a more secure future.

Today, as the next step in that agenda, IBM is bringing its industry-leading encryption capabilities built by IBM Research cryptographers to help clients with a quantum-safe cryptography approach for their data-in-transit within IBM Cloud.

The capabilities are designed to help enterprises prepare for future threats and can be useful against attacks in which malicious actors harvest encrypted data today with the intent to decrypt it later as quantum computing advances.

IBM Key Protect, a cloud-based service that provides lifecycle management for encryption keys that are used in IBM Cloud services or client-built applications, has now introduced the ability to use a quantum-safe cryptography enabled Transport Layer Security (TLS) connection – helping to protect data during the key lifecycle management.

In addition, IBM Cloud is also introducing quantum-safe cryptography support capabilities to enable application transactions. When cloud native containerized applications run on Red Hat OpenShift on IBM Cloud or IBM Cloud Kubernetes Services, secured TLS connections can help application transactions with quantum-safe cryptography support during data-in-transit and protect from potential breaches.

Protecting sensitive data with IBM Cloud Hyper Protect Crypto Services

Enterprises also need to mitigate risks from external and internal threats, as well as to address regulatory compliance.

IBM Cloud is also delivering new capabilities to help secure application transactions and sensitive data using IBM Cloud Hyper Protect Crypto Services, which offer the industry’s highest level of cryptographic key encryption protection by providing customers with ‘Keep Your Own Key’ (KYOK) capability.

Built on FIPS-140-2 Level 4-certified hardware – the highest level of security offered by any cloud provider in the industry for cryptographic modules – this allows clients to have exclusive key control, and therefore authority over the data and workloads protected by the keys.

Designed for application transactions where there is a deeper need for more advanced cryptography, IBM Cloud clients can keep their private keys secured within the cloud hardware security module while offloading TLS to IBM Cloud Hyper Protect Crypto Services to help establish a secure connection to the web server.

They can also achieve application-level encryption of sensitive data, such as a credit card number, before it gets stored in a database system.

Addressing the security demands of clients and highly regulated industries

IBM has been investing in confidential computing technologies for over a decade and delivers production-ready confidential computing to help clients protect data, applications and processes.

Furthering its commitment to security and compliance, IBM continues to collaborate with its industry peers to make further progress in standardization initiatives. For example, security best practices on IBM Cloud are now available as a Center for Internet Security (CIS) Foundations benchmark for IBM Cloud, and IBM Research cryptographers are key contributors to the QSC algorithms that are short listed in the National Institute of Standards and Technology (NIST).

Sysdig Secure integrates with IBM Cloud to provide end-to-end monitoring and security capabilities

Sysdig announced the global availability of Sysdig Secure embedded within IBM Cloud. IBM Cloud Monitoring with Sysdig, which uses Sysdig Monitor, is already the default monitoring solution used by IBM and offered to IBM Cloud customers when onboarding.

With this addition of Sysdig Secure, the Sysdig Secure DevOps Platform is tightly integrated with IBM Cloud to provide customers end-to-end monitoring and security capabilities.

The expansion of Sysdig Secure in IBM Cloud builds on the container, Kubernetes, and cloud monitoring capabilities of IBM Cloud Monitoring with Sysdig. Sysdig Secure adds image scanning, runtime security, compliance, incident response, and forensics.

Now, when operating in IBM Cloud, DevOps, cloud, and security teams can secure the build pipeline, detect and respond to runtime threats, and validate compliance using Sysdig Secure.

The Sysdig Secure DevOps Platform, which includes Sysdig Secure and Sysdig Monitor, closes the security and visibility gap for containers and Kubernetes.

With Sysdig, cloud teams can embed security, validate compliance, and scale monitoring to manage security risk and improve application availability. Granular data enriched with cloud and Kubernetes context gives teams the visibility they need to confidently run applications in production.

“Since announcing the IBM Cloud Monitoring with Sysdig initiative in 2018, we have gone through extensive testing with IBM and proved our ability to deliver security, compliance, and monitoring at scale,” said Knox Anderson, vice president of product at Sysdig.

“We deliver IBM Cloud Monitoring in six regions globally and adding Sysdig Secure to those regions will enable our joint customers to embed security, compliance, and performance into their DevOps workflow in just a few clicks.”

New capabilities added to IBM Cloud Monitoring with Sysdig

  • Image scanning: Automate scanning within CI/CD pipelines and registries and implement registry scanning inline. Block vulnerabilities pre-production and monitor for new CVEs at runtime. Map a critical vulnerability back to an application and development team.
  • Runtime security: Protects containers, Kubernetes, hosts, and IBM infrastructure with out-of-the-box policies based on open source Falco. Automatically trigger response actions and notify the right teams immediately.
  • Compliance: Ensure regulatory compliance standards are met, such as PCI-DSS, GDPR, NIST 800-190, with compliance checks and file integrity monitoring (FIM). Continuously validate cloud compliance for environments built on containers and Kubernetes across the entire application lifecycle.
  • Incident response and forensics: Conduct forensics and incident response for containers and Kubernetes to understand security breaches, meet compliance requirements, and recover quickly. Sysdig provides a single source of truth for all activity in the container ecosystem before, during, and after an incident.

The challenge of securing containers and Kubernetes

Containers are black boxes that hide their internal activity, making it difficult to gain the visibility required to manage security risk. They are normally deployed using microservices, numbering in the tens of thousands, which dynamically connect to form applications.

Managing this complex environment requires visibility into container activity, context to understand how the microservices interact, and a detailed audit record for investigating incidents and alerts.

The Sysdig platform provides granular visibility enriched with Kubernetes and cloud context, along with a detailed audit trail, that allows teams to confidently run applications in production.

Thought Machine Vault now runs on Google Cloud, AWS, Microsoft Azure and IBM Cloud

Thought Machine, the cloud native core banking technology firm, has announced that its core banking platform Vault now runs on every major cloud infrastructure provider including Google Cloud Platform, Amazon Web Services, Microsoft Azure and IBM Cloud.

In addition, Vault can be deployed on either the bank’s choice of cloud provider, on premise, in a hybrid cloud using OpenShift from Red Hat, or as a SaaS product.

Thought Machine’s expanded compatibility enables banks to migrate with the freedom to pick the cloud infrastructure partner of their choice – while adhering to any regulatory and legal requirements they might have in place.

As a cloud agnostic business, Thought Machine continues to expand its list of compatible cloud providers. Vault initially rolled out on GCP and AWS before progressing to run on the four leading cloud hosting providers, enabling far greater flexibility than peers in core banking and financial services technology.

The new SaaS offering brings further flexibility for banks wishing to operate an instance of Vault for their institution without the overhead of software management and updates. This Thought Machine-managed service is now available on AWS, with further provider compatibility planned for 2020.

Vault works with financial institutions and technology companies across the spectrum – from tier one global banks, to smaller regional banks, greenfield offerings as well as fintech players who offer banking capabilities to their customers. All of these firms can now deploy Vault in the way that is most suitable for their needs.

Paul Taylor, Chief Executive Officer and Founder of Thought Machine, comments: “At Thought Machine, the benefits of being cloud agnostic are crystal clear. Banks, fintechs and financial institutions have differing needs, and different relationships with the cloud.

“We don’t want to influence those choices, or those relationships, and are proud to announce we can deliver Vault wherever, and whenever, a business needs. By delivering Vault as a Software-as-a-service product, banks no longer need to concern themselves with the implementation, regulatory and logistical obligations of bringing software in-house.

“Vault SaaS is now available with the same high level of security and resilience as our deployed version, without the infrastructural management overheads.”

Study on public cloud performance: AWS, GCP, Azure, Alibaba and IBM Cloud

There are notable network performance and connectivity differences between the five major public cloud providers – Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Alibaba Cloud and IBM Cloud, ThousandEyes reveals. A look at public cloud performance While Google Cloud and Azure rely heavily on their private backbone networks to transport their customer traffic, protecting it from performance variations associated with delivering over the public Internet, AWS and Alibaba Cloud rely heavily on … More

The post Study on public cloud performance: AWS, GCP, Azure, Alibaba and IBM Cloud appeared first on Help Net Security.