To protect data and code in the age of hybrid cloud, you can always turn to Intel SGX
A gentle guide to enclaves and trusted execution environments
Sponsored Data and code are the lifeblood of digital organisations, and increasingly these are shared with others in order to achieve specific business goals. As such, data and code must be protected no matter where the workloads run, be they in on-premises data centers, remote cloud servers, or edge-of-the-network.
Take medical images processed in the cloud for example. Their processing must be encrypted for security and privacy. Banks need to share insights into financial data without sharing that underlying confidential data with others. Other organisations may want to process data using artificial intelligence and machine learning but keep secret these learning algorithms that turn data into useful analysis.
While encrypting data at rest or in transit is commonplace, encrypting sensitive data while it is actively in-use in memory is the latest, and possibly most challenging, step on the way to a fully encrypted data lifecycle.
New security model army
One new security model that is growing increasingly popular as a way of protecting data in use is confidential computing. This model uses hardware protections to isolate sensitive data.
Confidential computing changes how code and data are processed at the hardware level and changes the structure of applications. Using the confidential computing model, encrypted data can be processed in the hardware without being exposed to the rest of the system.
A crucial part of that is the Intel® Software Guard Extensions (Intel® SGX). It was introduced for client platforms in 2015 and brought to the data center in 2017, and developed as a means of protecting the confidentiality and integrity of code. It does this by creating encrypted enclaves that help safeguard information and code whilst in use. This year, Intel® submitted the SGX software development kit (SDK) to the Linux Foundation’s new Confidential Computing Consortium to help secure data in applications and the cloud.
Don’t trust me, trust the extensions
To protect data in use, applications can employ something called Trusted Execution Environments (TEEs) running inside a processor. The fundamental principle here is of hardware isolation between that TEE – where only trusted code is executed on selected data – and the host device’s operating environment. Within a TEE, data is safely decrypted, processed, and re-encrypted. TEEs also provide for the secure execution of authorised software, known as trusted applications or TAs, and protect the execution of authenticated code.
To keep data safe, TEEs use a secure area of memory and the processor that is isolated from the rest of a system’s software stack. Only trusted TAs are allowed to run inside this environment, a system that is cryptographically enforced. Applications using a TEE can be divided into a trusted part (the TA) and an untrusted part (the rest of the application that runs as normal), allowing the developer great control over the exact portions of data needing advanced protections.
Unpacking Intel SGX
The goal of the Confidential Computing Consortium is to establish common, open-source standards and tools for the development of TEEs and TAs.
This is where Intel® has stepped in with Intel® SGX. It offers hardware-based memory encryption that isolates specific application code and data in memory. It works by allowing developers to create TEEs in hardware. This application-layer TEE can be used to help protect the confidentiality and integrity of customer data and code while it’s processed in the public cloud, encrypt enterprise blockchain payloads, enable machine learning across data sources, significantly scale key management solutions, and much more.
This technology helps minimise the attack surface of applications by setting aside parts of the hardware that are private and that are reserved exclusively for the code and data. This protects against direct assaults on the executing code or the data that are stored in memory.
To achieve this, Intel® SGX can put application code and data into hardened enclaves or trusted execution modules – encrypted memory areas inside an application’s address space. Code in the enclave is trusted as it cannot be altered by other apps or malware.
Intel® SGX provides a group of security-related instructions, built into the company’s Intel® Core™ and Xeon® processors. Intel provides a software development kit as a foundation for low-level access to the feature set with higher-level libraries that open it up to other cloud-optimized development languages.
Any number of enclaves can be created to support distributed architectures. Some or all parts of the application can be run inside an enclave.
Code and data are designed to remain encrypted even if the operating system, other applications, or the cloud stack have been compromised by hackers. This data remains safe even if an attacker has full execution control over the platform outside the enclave.
Should an enclave be somehow modified by malicious software, the CPU will detect it and won’t load the application. Any attempt to access the enclave memory are denied by the processor, even those made by privileged users. This detection stops encrypted code and data in the enclave from being exposed.
Where might enterprise developers use Intel® SGX? A couple of specific scenarios spring to mind. Key management is one, with enclaves used in the process of managing cryptographic keys and providing HSM-like functionality. Developers can enhance the privacy of analytics workloads, as Intel® SGX will let you isolate the multi-party joint computation of sensitive data. Finally, there’s digital wallets with secure enclaves able to help protect financial payments and transactions. There are more areas, but this is just a sampler.
Separate – and secure
Intel® SGX enables applications to be significantly more secure in today’s world of distributed computing because it provides a higher level of isolation and attestation for program code, data and IP. That’s going to be important for a range of applications from machine learning to media streaming, and it means stronger protection for financial data, healthcare information, and user smartphone privacy whether it’s running on-prem, in hybrid cloud, or on the periphery of the IoT world.
Sponsored by Intel®