Skip to main content

Streamline Fintech Data Management With IBM Hyper Protect Services

Many banks and financial institutions are modernizing their IT systems and applications to become more agile and responsive by adopting a hybrid multicloud strategy, which involves minimal lift and shift. IBM is a major provider of hardware, software and services that are geared towards helping customers through their mainframe modernization journey.

The process of migrating legacy systems and applications typically involves moving from IBM Z legacy platforms to solutions built on cloud and other modern digital technologies. This approach often puts an organization’s core functionality at risk. In contrast, a hybrid multicloud approach will enable seamless adoption of cloud technologies by carefully moving customer interactions and experiences to a more agile cloud environment—all the while keeping system of record functions in existing IBM Z environments that are tightly controlled and managed by the organization.  

Current Challenges

Data is the currency of the 21st century. Bringing data and processes from legacy systems to the cloud requires data at rest, data in transit and data in use to be handled according to prevailing data security guidelines and regulations. It’s no wonder that organizations in regulated industries cited security and data protection as the major inhibitor for moving sensitive applications and data to the public cloud. According to market reports, the adoption of cloud-based encryption software solutions is expected to grow. Why? Cloud technology enables easy data maintenance, cost-effectiveness, scalability and streamlined data management.

In the digital economy, fintechs are growing fast by taking advantage of technology solutions to quickly build, automate or improve financial services and processes. Many modern financial institutions are still running monolithic applications hosted on mainframe platforms such as IBM Z. These banks prefer to run critical business processes and core processing on IBM Z and run noncritical user-interfacing applications on cloud. Though cloud-ready architectures have several benefits in terms of simplicity and support for microservices, there are still concerns about data being mishandled by the cloud service provider. 

The Solution: IBM Cloud Hyper Protect Services

The IBM Cloud Hyper Protect platform and services address all these concerns by providing “technical assurance” that customer data is always owned and controlled by financial institutions. The Hyper Protect technology makes it impossible for IBM Cloud operators to access customer data. In contrast, “operational assurance” depends on procedures and promises that the Cloud Service Provider (CSP)will provide, which often get flouted, resulting in extensive damage to the brand image of financial institutions.

The Hyper Protect platform is based on LinuxONE and Secure Service Container (SSC) technology, which provides a confidential computing platform to prevent anyone other than the financial institutions from accessing customer data, as illustrated in Figure 1.

Figure 1. Technical assurance of IBM Cloud Hyper Protect Services

The following Hyper Protect Services are available on IBM Cloud catalog:

  1. Hyper Protect Crypto Services (HPCS)
  2. Hyper Protect DBaaS (HP DBaaS)
  3. Hyper Protect Virtual Server 

HPCS and HP DBaaS are offered as fully managed and highly available services owing to the multi-zone region architecture. HPCS also provides cross-regional high availability in certain geographies.
The IBM Cloud Hyper Protect Crypto Service enables data protection with a single-tenant, dedicated Keep Your Own Key (KYOK) key management service (KMS) that provides access to a FIPS 140-2 Level 4 certified hardware security module (HSM). FIPS 140-2 Level 4 compliance is a de facto standard for the financial services industry, which is the cornerstone for securing data on cloud.
Hyper Protect DBaaS provides complete data confidentiality for your sensitive data on the cloud. HP DBaaS currently supports PostgreSQL and MongoDB enterprise edition. It is important to consider that Hyper Protect DBaaS has a service-level integration with HPCS for external KMS (like many other services within IBM Cloud).
Hyper Protect Virtual Server is a confidential computing platform by itself, providing the industry’s largest secure enclaves. The Hyper Protect Virtual Server allows you to provision Linux virtual machines with your own public SSH key. IBM Cloud operators cannot logon to customer’s virtual server, which protects your IP and enables you to maintain exclusive access to code and data.

Hybrid Strategy for Fintech

Figure 2 illustrates a hybrid architecture using Hyper Protect Services on IBM Cloud and its related stack that will resonate with the requirements of many enterprises today:

Figure 2.
Hybrid cloud architecture using Hyper Protect Services on IBM Cloud

In this hybrid architecture, the fintech applications on IBM Cloud can interact with applications on IBM Z through REST APIs that are exposed by z/OS Connect. It acts as an intermediary by allowing applications on IBM Z to expose APIs that can be consumed by the fintech app. 

As illustrated  in Figure 2, IBM Hyper Protect Crypto Services is used to offload TLS traffic for the fintech web application. This ensures processor enhancement with high security from the private keys managed by HPCS. IBM Cloud Hyper Protect DBaaS for PostgreSQL provides a “protected” cache that ensures fast data retrieval with reduced latency—and eliminates fetching data frequently from Db2 environment on IBM Z. 

TLS Offloading at the Load Balancer

Transport Layer Security (TLS) encrypts communications between the client and the server to protect against potential hackers and man-in-the-middle attacks. TLS offloading is the process of delegating all TLS/SSL processes to a load balancing device.

Load balancers are typically implemented at the edge, where customer traffic is terminated for logical separation of security zones from external to internal. Offloading TLS traffic at the load balancer allows application servers to process requests faster, but it must be done only when TLS/SSL encryption keys can be managed securely and confidentially. 

The NGINX load balancer in Figure 2 above integrates with a FIPS 140-2 Level 4 HSM provided by IBM Cloud HPCS using PKCS#11 . This makes sure the TLS offloading can be implemented without compromising security. 

Hyper Protect DBaaS PostgreSQL for Data Caching

One of the major concerns of hybrid architecture is the latency of fetching data from on-premise applications like Db2, CICS, IMS and other resources on IBM Z. The problem is compounded when data accessed from on-premise resources is repetitive, making those operations wasteful and redundant. The solution is to have a cache database within the cloud environment to reduce “fetches” from on-premise IBM Z resources. The cache database in the cloud acts as a backup database that cloud-based applications can access. Such an implementation will create security concerns of a database residing on cloud, but they can be allayed by leveraging Hyper Protect DBaaS PostgreSQL. The solution protects data at the record level using encryption keys from Hyper Protect Crypto Services, ensuring security for both data at rest and data in transit.