Using IBM Cloud Hyper Protect UKO for secure multi-cloud key management

At Auquan, we need a way to simplify the management of authentication keys, which our compute instances across multiple cloud platforms use to access documents stored in AWS S3. To accomplish this we implemented the Unified Key Orchestrator (UKO) from IBM Hyper Protect Crypto Services (HPCS). 

We built Auquan’s Portfolio Intelligence Engine using a multi-cloud architecture with many of our applications running in vanilla compute instances within the premises of these cloud services. The applications running in these instances need to access certain documents stored in AWS S3 in a secure way. 

Our objective is to manage the life cycle and usage of the access keys in a highly secure way, and we’re approaching this implementation in two phases. 

• Phase-I: Use UKO to install and use keys along with compute instances in IBM cloud 
• Phase-II: Use UKO to use keys with compute instances in AWS cloud 

Using UKO for secure key management

IBM HPCS UKO can manage keys securely across multiple z/OS systems and across other cloud providers, including Microsoft Azure, Amazon Web Services (AWS), IBM Cloud, and Google Cloud Platform. 

All of the keys in all those places are protected by a master key, which is stored in a FIPS 140-2 Level 4-certified hardware security module (HSM) for the highest security. One can manage the life cycles of the keys from a single point of control, while the system keeps keys that are distributed in sync. 

Architecture

Implementation Notes 

In our use case, our compute instances in IBM cloud and those running in AWS are both accessing documents stored in AWS S3, secured and encrypted by a key in AWS key vault. However, this key is being managed by the keystore in HPCS UKO, which provides a seamless experience across cloud providers to manage the security life-cycle of the documents.