Protecting workloads and sensitive data throughout their lifecycle is a great concern across all industries and organizations. Increasing demands to accelerate hybrid cloud adoption and integration are changing the way data is securely stored, processed, and accessed.

In addition, regulatory guidelines and standards are causing many businesses and organizations to implement zero trust policies and privacy enhancing techniques to restrict access to workloads as state of least privilege is established. A state of least privilege ensures that no user or workload has any more access to data than is necessary. Confidentiality and integrity assurance for data at rest and data in transit is typically provided through cryptography. Nevertheless, data in use is generally unencrypted while it is processed by the system, which can make data in use accessible to privileged users or workloads.

In the past, data owners relied upon operational assurance to control access to workloads and data. An operational assurance approach ensures that a service provider will not access customer workloads or data through specific operational procedures and measures. However, with today's constant, unpredictable, and always changing cyberthreats, operational assurance is not enough.

A more robust technical assurance approach that is hardware-based is needed. A Trusted Execution Environment (TEE) or confidential computing platform does just that. A TEE ensures that no one can access sensitive workloads and data while in use, not even the service provider. A TEE can also protect the CI/CD pipeline from bad actors, enforce supply chain protection, and provide code integrity through cryptographic proofs and encryption.

This IBM® Redbooks® publication outlines how to apply common concepts of data protection and confidentiality and make use of a privacy-enhancing technology-based solution that can be implemented in a hybrid cloud environment. It describes the TEE technologies that are offered with IBM Z® and IBM LinuxONE (such as IBM Secure Execution for Linux), and how the IBM Hyper Protect Platform uses them.

This publication discusses how the various IBM Hyper Protect services ensure zero trust data-centric security and data privacy end-to-end. It also illustrates the business value through specific use case scenarios, covering relevant aspects of workload creation and evidence collection for regulatory compliance of software supply chains.

This IBM Redbooks publication is for Chief Information Security Officers (CISOs), IT managers, security architects, security administrators, cloud application developers, and anyone who needs to plan, deploy, and manage data security and confidentiality in a hybrid cloud environment. The reader is expected to have a basic understanding of IT security and hybrid cloud concepts.

Chapter 1. A hybrid cloud with data security in mind

Chapter 2. Understanding the solution

Chapter 3. Making the infrastructure secure

Chapter 4. Application development in a trusted environment

Appendix A. Client contract setup sample files

Appendix B. Creating a Hyper Protect Virtual Server for VPC

Appendix C. Additional examples for HPSB and HPVS

Appendix D. Encryption keys explained