Mark Smith

Now I want to talk about the opportunity this new secure enclave technology presents to you as a security professional. In the process, I hope you’ll get a clearer idea of our vision — where true data security allows enterprises to go and what this might enable for them.

Access to Infrastructure No Longer Means Access to Data

With the arrival of secure enclave technology, that vulnerable connection between machine access and data no longer exists. All data, including code, is encrypted within the enclave and rendered unaddressable by other machine processes or users. For all intents and purposes, the data is untethered from the device — it is only visible within the context of the enclave.

The implications are significant:

Data is secure everywhere it is used. With this level of isolation, data get the same hardware-grade protection on premise, in the cloud, in hostile and untrusted environments — everywhere. Azure, Baidu, Alibaba and other services already support enclave technologies. That means if you need to operate in untrusted environments, you can do so without the risk of losing data.

High security becomes baked into the infrastructure. Normally strong security protections imply high operational friction. But with secure enclaves, operations staff work without data exposure risk. Organizations such as hosted service providers can actually prove as much to auditors — virtually eliminating liability.

All data and applications can be protected by default. Protecting data is a good thing. But protecting only important data reveals which data is important and where hackers should focus. Isolating and encrypting all data, similarly to what was achieved with the introduction of TLS, improves overall security posture by not signaling which data is important to bad actors

It enables a zero-trust hardware foundation. Zero trust is a great idea, but when implemented in software, it falls to the same memory and security weaknesses of all software. Enclave technology itself implements zero trust by isolating data, allowing only explicitly governed access, and providing continuous oversight of use. This enables IT to create a zero trust foundation that data secures higher-level zero trust solutions. But more importantly it creates a root from which all software can be verified, trusted and uniquely identified.

The Future

Cybersecurity will look very different a few years from now due to this technology. While it’s hard to imagine all the impacts enclave technology will have , we do know there’s a substantial opportunity for IT professionals to greatly improve their business security posture . Without public key infrastructure, which was the last big technology shift, you wouldn’t have security on the Internet, and thus companies like Amazon wouldn’t exist.

Since the dawn of data, keeping information secure has been a challenge and a source of anxiety for everyone.

There’s a good reason for that. Data is fundamentally exposed everywhere it is used. Over time, more and more data has moved to memory and cache — making this problem bigger and bigger. Today businesses accept the restrictions needed to maintain data security and safeguard privacy.

But what if data could be so secure it could be leveraged anywhere, without being seen or accessed by anyone? Your business would grow faster, your customers would be safer, and you would spend a lot less money on extra security. Even better, you would sleep at night knowing that wherever your data goes, it’s secure.

Secure enclaves deliver that security. They give you complete control over private data from creation to use and finally to disposal.

The great news is Secure Enclaves are now supported by every major cloud, operating system, server, and CPU vendor. These vendors integrate these capabilities — meaning it doesn’t cost more for you to take advantage of this heightened level of security.

That’s one reason why CISOs have started calling Secure Enterprise Enclaves The Next Big Thing.

The industry is buzzing about confidential clouds that protect your data and applications by default from insiders, service providers, other third parties, and hackers.

Microsoft Azure provides the components to create these clouds, starting with Confidential compute instances secured on servers with the Intel SGX technology.

Microsoft provides the necessary components. Anjuna makes it quick and simple to implement confidential clouds. VMware made virtualization simple. Anjuna does this for confidential clouds.

Anjuna’s software migrates your apps to Azure hardware secured confidential computing instances in literally seconds. No SDKs, re-writes, or other process changes. The result is extended protection beyond data in use — to data at rest, and data in motion.

Anjuna also integrates your confidential secure app and data with other Azure services, such as:

Azure Key Vault

Azure Kubernetes Services

Microsoft Azure Attestation

and Active Directory.

The combination of the Azure cloud and Anjuna software delivers a truly confidential cloud that puts you in control of your data — protecting your data from everyone by default.

Anjuna and Azure make this the right time to move your sensitive data and apps to Azure now.

Secure Enclaves: The Powerful Way to Make Data Secure by DefaultExecutive Summary

A major threat to enterprise IT already exists inside your organization: insiders. While most enterprises already take steps to protect systems from end users, credentialed insiders with unfettered access are even more dangerous, and this is not limited to employees. Third parties, including employees at cloud providers, are often to blame for insider breaches. Nation-states and other bad actors, can also present credentials that make them look like insiders.

Current methods and technologies to prevent IT insider threats have had severe limitations. Now there’s a new approach being implemented by nearly every major hardware and cloud vendor. Secure enclaves provide a comprehensive, more secure solution that protects data, applications, and storage from insiders and third parties — on premises, and in both private and public clouds.

What is a Secure Enclave?

A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD.

Insiders: The Threat No One Wants to Talk About

Until now, most cybersecurity efforts have focused on controlling network access by outsiders or end users. The greatest harm, however, is likely to come from insiders — system administrators, network architects, system analysts, developers, and site reliability engineers — who often have authorized access to data, networks, and applications. They may misuse or abuse their access to steal or damage sensitive data. Breaches may also occur unintentionally due to lax security protocols. It’s estimated that 43% of all breaches are committed by insiders — both accidental and intentional.

Probably one of the most infamous examples of intentional insider breaches is the case of Edward Snowden, a Booz Allen contractor working with the NSA. In 2013, Snowden, stole nearly 2 million intelligence files in what is considered one of the biggest thefts of US secrets in history. As a system administrator and architect, Snowden had unlimited access to NSA systems, and he was also able to access files from other sites, including those of other countries.2 The incursions continue to occur. In 2019, two Twitter employees were charged with spying for Saudi Arabia by accessing information on Saudi Arabian dissidents who used the Twitter platform.

Prevention Not Detection

In today’s environment, enterprises can never be sure all threats have been detected and handled in a timely manner. Moving to prevention changes the focus from chasing malicious acts that have already occurred to maintaining secure resources and networks.

To ensure enterprise security, protecting data and applications is not sufficient. Memory and networks need to be protected as well. This protection should include not only on-premises applications and data, but also operations that run in both private and public clouds. While today’s approaches protect data at rest and in transit, data in use has not been properly addressed, because it is the most complicated and difficult state to protect.

The Confidential Computing Consortium was founded in 2019, under the auspices of The Linux Foundation, to address this problem. The consortium’s goal is to define and promote the adoption of confidential computing — specifically to protect sensitive data within system memory. More than 20 industry leaders have joined the group, including Alibaba, Anjuna, ARM, Baidu, Facebook, Google Cloud, IBM, Intel, Microsoft, Oracle, Red Hat, Tencent, and VMware.

Secure Enclaves Deliver High-Level Hardware Security

Secure enclaves (also known as Trusted Execution Environments or TEE) are at the core of confidential computing. Secure Enclaves are sets of security-related instruction codes built into new CPUs. They protect data in use, because the enclave is decrypted on the fly only within the CPU, and then only for code and data running within the enclave itself.

Introduced by Intel as Software Guard Extensions (SGX)6, secure enclaves are based on hardware-level encrypted memory isolation. AMD now offers similar functionality with its SEV technology, built into Epyc. By the end of 2020, secure enclaves will be supported by nearly every server and cloud platform, including Intel, AMD, Amazon AWS (with their new Nitro Enclaves)7, Microsoft Azure8, VMware, Google, Docker, and Red Hat.

Secure Enclaves Prevent Critical Threats

As a CISO, you face multiple threats to your enterprise–from stolen data to unauthorized access by systems administrators or SREs. Secure Enclaves can help you prevent a wide range of threats with a consolidated easily implemented approach.

Next Steps: Prepare Now

The move to secure enclaves is gaining momentum. Secure enclaves will become standard security technology for the enterprise within the next few years. With the increased use of multiple computing environments — from on premises datacenters to public cloud to edge — now is the time to prepare to implement this level of protection for your operation.

Ask your team these questions:

How do you protect your sensitive applications in the public cloud?

What are your cloud providers doing to address this ongoing insider threat?

Do you have third party exposure? How do you protect your applications and data in untrusted geographies?

Are you concerned with the possibility a government subpoena might demand access to customer data?

Are you prepared to re-write applications to take advantage of secure enclaves?

How important will it be to have a solution that can automatically move applications into a secure environment?

To learn more about how Anjuna makes the deployment of secure enclaves simple and straightforward without the need to rewrite software, see the white paper Preventing Insider Threat.

What is Confidential Computing?

Confidential Computing is an approach that uses secure enclave technology to enable the creation of a trusted execution environment (TEE) based on security features provided by CPU vendors. A TEE allows for encryption/decryption within the CPUs, memory and data isolation, and other security features that vary by CPU vendor.

Secure Enclaves (TEEs): A Major Advance but Complex to Deploy

Implementing secure enclaves is both complex and costly, requiring the re-architecting of each application. An enclave demands the hands-on participation of engineers and specialists, which raises operating expenses to impractical heights. Each chip and cloud provider created its own solution: Intel SGX, Azure, AMD SEV, AWS Nitro Enclaves, and Google VM. But these efforts, however worthy, created a dizzying field of choices for customers already maintaining on-premises, hybrid, and multi-cloud environments. They face having to learn each respective TEE technology, which raises overhead in terms of engineering personnel, time, application performance, and cost.

Anjuna® Software: Securing Data by Default

Anjuna® Confidential Computing software requires no re-architecting of applications or kernel. Customers needn’t be concerned about the underlying TEE on the chip or cloud infrastructure level. Applications and whole environments work unmodified within private environments created on public cloud infrastructure. Within minutes, Anjuna automatically creates an isolated and ironclad hardware-encrypted environment in which applications run and extends Confidential Computing hardware technologies to protect data — in use, in transit, and at rest.

Explore These Confidential Computing Use CasesSecure Cloud-Migration

Migrate applications to the cloud with a security posture that exceeds on-premises protection. Anjuna extends hardened security capabilities provided by Confidential Computing technologies and makes any public cloud the safest place for sensitive enterprise applications and data. No more compromise between cloud economics and robust security.

Database Protection

Even secured databases store data unencrypted and exposed in memory. Anjuna assures that both the database and its data operate within the secure confines of an isolated private environment. Cryptographically and physically isolating data from malicious processes and bad actors virtually eliminate the chance of a data breach or exfiltration.

Data Protection

Anjuna delivers the strongest and most complete data security and privacy control available. Sensitive data created, processed, stored, and networked is protected with hardware-rooted zero-trust protection, protecting PII from insiders and bad actors throughout its lifecycle. Data is protected by default, including keys, PII, PHI, PCI, IP, proprietary algorithms, trade secrets, etc.

Crypto MPC & Blockchain Protection

See Yan Michalevsky, CTO and Co-Founder of Anjuna, discuss secure enclaves for blockchain applications, secure storage of cryptographic keys and infrastructure, and challenges in blockchain and cryptocurrency. Anjuna protects MPC applications, digital assets, digital wallets, custodial exchanges, NFTs, and AI/ML algorithms for crypto companies.

Key Management Systems (KMS)

With Confidential Computing, you can now modernize and extend KMS capabilities and shut out access to KMS applications running in isolated environments. Anjuna partners with HashiCorp and Venafi to protect keys and secrets even from attackers with root access from obtaining the authentication credentials.

Hardened DevSecOps

Manual security and audit processes for DevSecOps pipelines can be a primary risk vector for software supply chain compromise. These slow labor-intensive processes can make it challenging to identify pipeline attacks promptly. Using Anjuna to run applications inside secure enclaves provides hardware-based proof of software components’ integrity, protecting the software supply chain more broadly.

Even secured databases need to store data unencrypted and exposed in memory. Anjuna assures that both the database itself and its data operate within the secure confines of a confidential cloud environment. Cryptographically and physically isolating data from malicious processes and bad actors virtually eliminate the chance of a data breach or exfiltration. Enterprises can protect their data in use, at rest, and in transit with a single approach. More importantly, Anjuna protection assures that IT insiders are never over-exposed to data they should not see — simplifying compliance efforts. Anjuna® makes it simple for enterprises to implement Confidential Computing by allowing applications to operate in complete privacy and isolation, instantly and without modification. Anjuna Confidential Computing software supports custom and legacy applications — even packaged software such as databases and machine learning systems. Both on-site and in the cloud, Anjuna’s broad support provides the strongest and most uniform data security across AWS Nitro, Azure, AMD SEV, Intel SGX, and other technologies.

Use Cases for Confidential Computing

Database Protection

Even secured databases need to store data unencrypted and exposed in memory. Anjuna assures that both the database itself and its data operate within the secure confines of a confidential cloud environment. Cryptographically and physically isolating data from malicious processes and bad actors virtually eliminate the chance of a data breach or exfiltration. Enterprises can protect their data in use, at rest, and in transit with a single approach. More importantly, Anjuna protection assures that IT insiders are never over-exposed to data they should not see — simplifying compliance efforts.

Multi-Party Computation (MPC)

Anjuna Confidential Cloud Software makes the public cloud the safest and most secure place to compute--completely isolating existing data and workloads from insiders, bad actors, and malicious code. Anjuna software deploys simply in seconds as software over AWS, Azure, and other public clouds. By employing the strongest secure enclave data protection available, Anjuna software effectively replaces complex legacy perimeter security without disrupting operations, applications, or IT.

Protection from Attacks by Default

Bad actors and malicious software can’t attack what they can’t see. Anjuna-protected workloads and data are cloaked within an invisible zero-trust confidential and private environment that controls data access while eliminating attack surfaces. This keeps all data and workloads secure even in the event of a physical or privileged breach of a cloud host.

Ready for the Enterprise

Anjuna Confidential Cloud Software easily integrates into your existing environment and IT operations. No need for your operations and development teams to change how they work, because applications deploy and run as they always have. Anjuna’s management functions use standard APIs to integrate out-of-the-box with existing SIEM software and CARTA architectures to provide management, logging, and reporting.