Control: 5.2 Ensure IBM Cloudant encryption is enabled with customer managed keys

Description

IBM Cloudant encrypts all client data at-rest by default. For customers using a Dedicated Hardware plan instance, it is optional to use the service's integration with IBM Key Protect for customers to bring their own encryption key at provision time for the instance.

Remediation

The process to remediate a configuration where there is no use of a customer-managed encryption is as follows:

1. Provision a new Cloudant Dedicated Hardware plan instance using a customermanaged key as shown in details above.
2. Create new Cloudant instance(s) on the Dedicated Hardware plan instance that is using a customer-managed key as needed.
3. Replicate data over from the Cloudant instances not using a customer-managed key to the instances on the Dedicaed Hardware environment using the customermanaged key. This process requires use of the Cloudant replication feature as shown in the Cloudant documentation.
4. Delete any Cloudant instances on environments that do not use customer-managed keys once the replication is complete.