In Cloud Pak for Data as a Service, data security mechanisms, such as encryption, protect sensitive customer and corporate data, both in transit and at rest. A secure , and other mechanisms protect your valuable corporate data. A secure IBM Cloud Object Storage instance stores data assets from projects, catalogs, and deployment spaces.
Mechanism | Purpose | Responsibility | Configured on |
---|---|---|---|
Configuring Cloud Object Storage | IBM Cloud Object Storage is required to store assets | Customer | IBM Cloud |
Controlling access with service credentials | Authorize a Cloud Object Storage instance for a specific project | Customer | IBM Cloud and Cloud Pak for Data as a Service |
Encrypting at rest data | Default encryption is provided. Use IBM Key Protect to manage your own keys. | Shared | IBM Cloud |
Encrypting in motion data | Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion. | IBM, Third-party clouds | IBM Cloud, Cloud providers |
Masking data with data protection rules | Protect and mask sensitive data with data protection rules. | Customer | Cloud Pak for Data as a Service |
Backups | Use IBM Cloud Backup to manage backups for your data. | Shared | IBM Cloud |
Configuring Cloud Object Storage
IBM Cloud Object Storage provides storage for projects, catalogs, and deployment spaces. You are required to associate an IBM Cloud Object Storage instance when you create projects, catalogs, or deployment spaces to store files for assets, such as uploaded data files or notebook files. The Lite plan instance is free to use for storage capacity up to 25 GB per month.
You can also access data sources in an IBM Cloud Object Storage instance. To access data IBM Cloud Object Storage, you create an IBM Cloud Object Storage connection when you want to connect to data stored in IBM Cloud Object Storage. An IBM Cloud Object Storage connection has a different purpose from the IBM Cloud Object Storage instance that you associate with a project, deployment space, or catalog.
The IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to IBM Cloud Object Storage. See IBM Cloud docs: Getting started with IAM for instructions on setting up access control for Cloud Object Storage on IBM Cloud.
See IBM Cloud docs: Getting started with IBM Cloud Object Storage
Controlling access with service credentials
Cloud Object Storage credentials consist of a service credential and a Service ID. Policies are assigned to Service IDs to control access. The credentials are used to create a secure connection to the Cloud Object Storage instance, with access control as determined by the policy.
For more information, see Controlling access to Cloud Object Storage buckets
Encrypting at rest data
By default, at rest data is encrypted with randomly generated keys that are managed by IBM. If the default keys are sufficient protection for your data, no additional action is needed. To provide extra protection for at rest data, you can create and manage your own keys with IBM® Key Protect for IBM Cloud™. Key Protect is a full-service encryption solution that allows data to be secured and stored in IBM Cloud Object Storage.
To encrypt your Cloud Object Storage instance with your own key, create an instance of the IBM Key Project service from the IBM Cloud catalog. Not all watsonx.ai Studio and IBM Knowledge Catalog plans support customer-generated encryption keys.
- For instructions on encrypting your Cloud Object Storage instance with your own key, see Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service
- For an overview of how to encrypt data with your own keys, see IBM Cloud docs: Encrypting data with your own keys
- For the complete documentation for Key Protect, see IBM Cloud docs: IBM Key Protect
- For an overview of how encryption works in the IBM Cloud Security Architecture, see Data security architecture
Encrypting in motion data
Data is encrypted when transmitted by IBM on any public networks and within the Cloud Service's private data center network. Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion.
Data protection rules
You can mask sensitive data by using data protection rules. See the following topics:
Backups
To avoid loss of important data, create and properly store backups. You can use IBM Cloud Backup to securely back up your data between IBM Cloud servers in one or more IBM Cloud data centers. See IBM Cloud docs: Getting started with IBM Cloud Backup
Learn More For more information, see IBM Cloud docs: Getting started with Security and Compliance Center.
Parent topic: Security