IBM Multi-Cloud Data Encryption takes a raid like approach, helping companies distribute encryption and centralized management to protect sensitive data in a single cloud, multiple clouds, and in hybrid environments. Its flexibility supports cloud IaaS scenarios and improves manageability.

IBM’s Multi-Cloud Data Encryption is FIPS 140-2 compliant and offers its customers the flexibility to choose encryption agent types based on their workloads. IBM introduced object store encryption, storing data in S3-based AWS storage. This makes data recovery easier and allows for migration of encrypted data across different clouds under MDE management. MDE prevents unauthorized access by operating system privilege escalation and temporary policy suspension with kill switch availability. Re-reviewing of audit logs in the event of a suspected breach attempt is supported.

The installation and setup phase is a lengthy process since there are usually a few machines to setup, standard for any on-premises solution. We like that MDE offers both Windows and Linux support, such as RHEL and CentOS7. The setup documentation was easy to follow.

IBM’s Multi-Cloud Data Encryption allows for the encryption of volumes of data, data stored in object stores, and specific files with specific policies. There is a tremendous amount of capability and centrally managed policies. For administrators, after logging in you will see a clean, simple dashboard displaying recently triggered events. The account view shows roles and administrator types, allowing for separation of duty. Employees are only given access necessary to perform specific job functions. No single administrator can unilaterally make changes. This can be fully customized to require differing numbers of administrators for different actions before committing those changes to the system.

Policy keys are top-level encryption used to wrap data encryption keys stored on the data management side. These are generated, managed, and maintained internally, but can be exported externally for off-site key storage. This bolsters security by separating keys from data. Keys can be revoked, cryptographically erasing all associated data.

Processes, selectors, path sets, and datatypes are all fully customizable. Selectors are specific users or groups that can be granted access. Path sets are where data lives. Datatypes are permissions assigned to the selectors. To create a policy, select a specific path and change the datatype and selectors based on your desired response to certain changes. If you try to access disks, the system will not grant you access because you are not using the whitelisted application.

This would be useful if your administrator account was compromised. If you were using a whitelist policy on top of an encryption policy, there would be no way for any service account to threaten the overall ecosystem, even if it was compromised. As far as encryption goes, IBM’s MDE has multiple file types: file, object, and storage. You can encrypt volume disks, or partition. This encryption is the most powerful commercially available encryption on the market today (AES 256).

IBM offers SIEM integration and reporting and can send unauthorized access attempts to an external SIEM like QRadar or Splunk for real-time alerting and analysis. All customers need continual access to protected resources during and after various failure scenarios. Contingency plans extend beyond server hardware and software. Critical data must be accessible, regardless of environmental circumstance and there are many benefits of a highly available MDE environment: application level clustering eliminates single points of failure within the management console; automatic selections of available cluster members for new connection requests; utilization of database clustering; and, common database ensures all cluster nodes have access to up-to-date information.

Most of the products out there come from legacy software, or an on-premises background solution adapted for the cloud. MDE was born in the cloud with the idea customers could have complete control on where they want things to be. The ability of object store encryption gives the advantage of low-cost storage in the cloud, without compromising security. Data is split, so to decrypt it, cloud providers would need to break into Amazon and Azure, and gain access to the corresponding encryption keys.

MDE offers the ability to deploy object store gateways that, under access policies, encrypt data before being sent to object store repositories such as AWS S3, Azure, or IBM Cloud Object Store. Customers need not rely on a single cloud object store and can move cloud service providers at their leisure without it being a drawn out and difficult process.

Tested by: Matthew Hreben