Configuring Cloud Object Storage

IBM Cloud Object Storage provides storage for projects, catalogs, and deployment spaces. You are required to associate an IBM Cloud Object Storage instance when you create projects, catalogs, or deployment spaces to store files for assets, such as uploaded data files or notebook files. The Standard plan has a choice of storage classes, including a Free Tier, which allows 5 GB of usage for 12 months.

You can also access data sources in an IBM Cloud Object Storage instance. To access data IBM Cloud Object Storage, you create an IBM Cloud Object Storage connection when you want to connect to data stored in IBM Cloud Object Storage. An IBM Cloud Object Storage connection has a different purpose from the IBM Cloud Object Storage instance that you associate with a project, deployment space, or catalog.

The IBM Cloud Identity and Access Management (IAM) service securely authenticates users and controls access to IBM Cloud Object Storage. See IBM Cloud docs: Getting started with IAM for instructions on setting up access control for Cloud Object Storage on IBM Cloud.

See IBM Cloud docs: Getting started with IBM Cloud Object Storage

Controlling access with service credentials

Cloud Object Storage credentials consist of a service credential and a Service ID. Policies are assigned to Service IDs to control access. The credentials are used to create a secure connection to the Cloud Object Storage instance, with access control as determined by the policy.

For more information, see Controlling access to Cloud Object Storage buckets

Encrypting at rest data

By default, at rest data is encrypted with randomly generated keys that are managed by IBM. If the default keys are sufficient protection for your data, no additional action is needed. To provide extra protection for at rest data, you can create and manage your own keys with IBM® Key Protect for IBM Cloud™. Key Protect is a full-service encryption solution that allows data to be secured and stored in IBM Cloud Object Storage.

To encrypt your Cloud Object Storage instance with your own key, create an instance of the IBM Key Project service from the IBM Cloud catalog. Not all watsonx.ai Studio plans support customer-generated encryption keys.

• For instructions on encrypting your Cloud Object Storage instance with your own key, see Setting up IBM Cloud Object Storage for use with IBM watsonx
• For an overview of how to encrypt data with your own keys, see IBM Cloud docs: Encrypting data with your own keys
• For the complete documentation for Key Protect, see IBM Cloud docs: IBM Key Protect
• For an overview of how encryption works in the IBM Cloud Security Architecture, see Data security architecture

Encrypting in motion data

Data is encrypted when transmitted by IBM on any public networks and within the Cloud Service's private data center network. Encryption methods such as HTTPS, SSL, and TLS are used to protect data in motion.

Backups

To avoid loss of important data, create and properly store backups. You can use IBM Cloud Backup to securely back up your data between IBM Cloud servers in one or more IBM Cloud data centers. See IBM Cloud docs: Getting started with IBM Cloud Backup

Learn More For more information, see IBM Cloud docs: Getting started with Security and Compliance Center.

Parent topic: Security