Skip to content

Unified Key Orchestrator

Managing keys in silos on-premises and across multiple clouds brings up challenges around demonstrating compliance, ensuring the right security posture with key usage and maintaining data governance and sovereignty. A Gartner report suggests that security and risk management leaders must develop an enterprise-wide encryption key management strategy or lose the data.

Use

Built on the Keep Your Own Key (KYOK) technology, Unified Key Orchestrator helps enterprises manage their data encryption keys across multiple key stores across multiple clouds environments, including keys managed on:

  • On-premises
  • IBM Cloud
  • AWS
  • Microsoft Azure
  • Microsoft 365

Features

The Unified Key Orchestrator solution has been developed to address these pain points and provides the following:

  • A single control plane for all your keys: The Unified Key Orchestrator has a UX research-led UI design that helps enterprises meet their compliance control obligations. The user experience is engineered to be seamless for key administrators, hides the complexities and differences across different keystone implementations and helps reduce risk of incorrect key usage.

  • Key lifecycle management features based on NIST recommendations:

    • Keys will never be in the clear anywhere. They are protected by your own master key on the service’s HSM (hardware security module).
    • Provides secured transfer of keys to internal keystores in the service instance or external keystores including Microsoft Azure Key Vault (Office365®) and AWS KMS.
    • Distributes and installs keys with a single click. Manages keys and keystores through RESTful API.
    • Centrally backs up and manages all keys of your enterprise and redistributes keys to quickly recover from errors due to lost keys.

  • Help reduce total cost of ownership and operational costs: The Unified Key Orchestrator provides a single intuitive tool with a tiered pricing model designed to reduce the complexity and cost of managing multiple key management systems. Additionally, customers can use the API to plug the Unified Key Orchestrator into their DevOps process to integrate key management when they deploy workloads to the cloud.

Getting started

This section points you to tutorials on how to use Unified Key Orchestrator for:

  • AWS
  • Azure and Microsoft 365
  • Cloud Satellite

With AWS

See Securely manage AWS S3 encryption keys with IBM Cloud Hyper Protect Crypto Services with Unified Key Orchestrator

The following diagram illustrates the architecture.

aws

Microsoft 365

This tutorial focuses on using IBM Cloud Hyper Protect Crypto Services with Unified Key Orchestrator to manage the regulatory compliance requirements of company data in a Microsoft 365 environment on Azure with Azure Key Vault and Azure Active Directory.

See Manage regulatory compliance of company data in Microsoft 365 with Hyper Protect Unified Key Orchestrator

The following diagram illustrates the use case.

banking use case

IBM Cloud Satellite

IBM Cloud Satellite provides you with flexibility and scalability to bring your own infrastructures to IBM Cloud. You can run IBM Cloud services anywhere including on your on-prem data centers and other cloud providers. With IBM Cloud Satellite, you can connect your multiple environments to implement distributed cloud solutions to help your enterprise hybrid cloud transformation.

Key Protect on Satellite allows you to fully control your encryption keys by using your on-prem hardware security module (HSM). Hyper Protect Crypto Services with Unified Key Orchestrator enables you to manage keys in various key management systems, including Key Protect on Satellite, from a single pane of glass.

See Using Hyper Protect Crypto Services with Unified Key Orchestrator to manage keys in Key Protect on Satellite.

The following diagram illustrates the use case:

cloud satellite

Hybrid cloud architecture with IBM Cloud

Hyper Protect Crypto Service (HPCS) with Unified Key Orchestrator (UKO) removes the complexity of managing multiple types of key management services and help boost enterprise workload security using FIPS 140-2 Level 4 certified IBM Cloud centric HSM solution.

When an enterprise application developed and deployed in IBM Cloud is extended as a hybrid multicloud application and could be combines with other cloud services and on-premises services, the data security of this application can be managed with HPCS service.

The following diagram shows how the key management enterprise applications deployed across this hybrid multicloud platform can be provided by HPCS/UKO service with single pane of glass.

hybrid cloud hpcs with uko

In this case, the Hyper Protect Crypto Service with Unified Key Orchestrator work across multiple clouds, IBM Cloud VPCs, and even protects mainframe workloads. It demonstrated Keep Your Own Key (KYOK) and Bring Your Own Key (BYOK).

See Secure mainframe applications and data in a hybrid multicloud platform download.

References

TechZone

For partners with access to TechZone, see Use the Unified Key Orchestrator (UKO) to orchestrate keys across AWS and/or Azure for a hands-on tutorial.