Data security
Data security protects valuable and sensitive customer and corporate data, both in transit and at rest. Cloud Pak for Data as a Service requires an IBM Cloud Object Storage instance to store assets from projects, catalogs, and deployment spaces. Cloud Object Storage is integrated into the IBM Cloud Security and Compliance Center with ensured data protection. For more information, see IBM Cloud docs: Getting started with Security and Compliance Center. In addition, you can connect to many types of data sources in Cloud Pak for Data as a Service and the connections are secured by user credentials.
| Constraint | Purpose | Responsibility | Configured on |
|---|---|---|---|
| Configuring Cloud Object Storage | IBM Cloud Object Storage is required to store assets | Customer | IBM Cloud |
| Controlling access with service credentials | Authorize a Cloud Object Storage instance for a specific project | Customer | IBM Cloud and Cloud Pak for Data as a Service |
| Controlling access with storage delegation | Delegate access to collaborators | Customer | Cloud Pak for Data as a Service |
| Encrypting at rest data | Default encryption is provided. Use IBM Key Protect to manage your own keys. | Shared | IBM Cloud |
| Encrypting in motion data | Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion. | IBM, Third-party clouds | IBM Cloud, Cloud providers |
| Masking data with data protection rules | Protect and mask sensitive data with data protection rules. | Customer | Cloud Pak for Data as a Service |
| Backups | Use IBM Cloud Backup to manage backups for your data. | Shared | IBM Cloud |
Configuring Cloud Object Storage
IBM Cloud Object Storage provides storage for projects, catalogs, and deployment spaces. You are required to associate an IBM Cloud Object Storage instance when you create projects, catalogs, or deployment spaces to store files for assets, such as uploaded data files or notebook files.
You can also access data sources in an IBM Cloud Object Storage instance. To access data IBM Cloud Object Storage, you create an IBM Cloud Object Storage connection when you want to connect to data stored in IBM Cloud Object Storage. An IBM Cloud Object Storage connection has a different purpose from the IBM Cloud Object Storage instance that you associate with a project, deployment space, or catalog.
The IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to IBM Cloud Object Storage. See IBM Cloud docs: Getting started with IAM for instructions on setting up access control for Cloud Object Storage on IBM Cloud.
See IBM Cloud docs: Getting started with IBM Cloud Object Storage
Controlling access with service credentials
Cloud Object Storage credentials consist of a service credential and a Service ID. Policies are assigned to Service IDs to control access. The credentials are used to create a secure connection to the Cloud Object Storage instance, with access control as determined by the policy.
For more information, see Controlling access to Cloud Object Storage buckets
Controlling access with storage delegation
Storage delegation is an extra security step to allow access to the Cloud Object Storage instance. By default, access to an IBM Cloud Object Storage instance is limited to the owner or administrator. As the owner or administrator of a Cloud Object Storage instance, you can delegate access to allow all users in your account to create projects and catalogs with it. If you do not enable storage delegation, only account owners and administrators are allowed access to the Cloud Object Storage instance and can successfully work with projects and catalogs. This configuration does not affect user roles on the Cloud Object Storage instance in IBM Cloud.
Projects and catalogs in Cloud Pak for Data as a Service require an IBM Cloud Object Storage instance for storage. You need to provision only one instance and then generate the administrative key. The administrative key is automatically generated and stored when the first project is created.
See Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service.
See Setting up Cloud Pak for Data as a Service for your organization for an overview of all the steps for setting up Cloud Pak for Data as a Service including storage delegation.
Encrypting at rest data
By default, at rest data is encrypted with randomly generated keys that are managed by IBM. If the default keys are sufficient protection for your data, no additional action is needed. To provide extra protection for at rest data, you can create and manage your own keys with IBM® Key Protect for IBM Cloud™. Key Protect is a full-service encryption solution that allows data to be secured and stored in IBM Cloud Object Storage.
To encrypt your Cloud Object Storage instance with your own key, create an instance of the IBM Key Project service from the IBM Cloud catalog. Not all Watson Studio and Watson Knowledge Catalog plans support customer-generated encryption keys.
- For instructions on encrypting your Cloud Object Storage instance with your own key, see Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service
- For an overview of how to encrypt data with your own keys, see IBM Cloud docs: Encrypting data with your own keys
- For the complete documentation for Key Protect, see IBM Cloud docs: IBM Key Protect
- For an overview of how encryption works in the IBM Cloud Security Architecture, see Data security architecture
Encrypting in motion data
Data is encrypted when transmitted by IBM on any public networks and within the Cloud Service’s private data center network. Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion.
Data protection rules
You can mask sensitive data by using data protection rules. See the following topics:
Backups
To avoid loss of important data, create and properly store backups. You can use IBM Cloud Backup to securely back up your data between IBM Cloud servers in one or more IBM Cloud data centers. See IBM Cloud docs: Getting started with IBM Cloud Backup