November 5, 2018 By Pratheek Karnati 3 min read

Adopting Zero Trust architecture

Security & Risk (S&R) professionals are adopting Zero Trust architecture by erasing the current trusted and untrusted network model; instead, they are identifying sensitive data, actors, and their workflows and designing micro-perimeters around them[1]. This means that data and data protection form the foundation for today’s security architecture, where workloads merge the gap between clouds—public and private—and on-premise infrastructure.

However, data protection remains incomplete without in-use protection. S&R professionals are looking for solutions that not only protect data-in-use but also at the velocity of Cloud.

IBM Cloud Data Shield

Data Shield, powered by Fortanix, provides data-in-use protection for your container workloads running on the IBM Cloud Kubernetes Service. It leverages Intel® Software Guard Extensions (SGX) technology to run code and data in CPU-hardened “enclaves” or a Trusted Execution Environment (TEE). The enclave is a trusted area of memory where critical aspects of the application functionality are protected, helping keep code and data confidential and unmodified.

Data Shield provides DevOps tools that integrate with your existing build pipelines to convert your container images to Intel® SGX counterparts with little to no code changes. It runs on the IBM Cloud Kubernetes Service to bring scalability and high availability to your sensitive workloads.

Provisioning

Data Shield is offered as a helm chart on IBM Cloud. You can download and install Data Shield to your Intel SGX® enabled IBM Cloud Kubernetes Service cluster. Please find the Data Shield helm chart documentation here.

Data Shield Enclave Manager

Data Shield Enclave Manager provides Kubernetes worker-node-level security attributes. It uses IBM Cloud App ID, backed by cloud directory, for user authentication. It populates all the Intel® SGX-enabled worker nodes and the applications running on them. It streamlines Intel Attestation by embedding attestation reports in a downloadable X.509 certificate.

Data Shield Enclave Manager

Worker nodes on the IBM Cloud Kubernetes Service and their attestation information

Downloadable X.509 certificate with embedded Intel attestation report

We are very pleased to collaborate with IBM—utilizing IBM’s Data Shield to protect Blockchain-based DApps executing in iExec decentralized cloud. IBM Data Shield delivers secure provisioning of secrets for Dapps, ensuring the data and application execution remain completely protected,” said Gilles Fedak, CEO of iExec.

Data Shield Converter Service          

Data Shield Converter service helps convert Docker container images to Intel® SGX counterparts. As a security measure, it runs locally to your cluster. You can invoke it through a container running in the same cluster:

curl -k -H ‘Content-Type: application/json’ -d ‘ {“inputImageName”: “your-registry-server/your-app”, “outputImageName”: “your-registry-server/your-app-sgx”}’ https://datashield-enclaveos-converter.default.svc.cluster.local/v1/convert-image

Converter service pulls your container image, converts it, and pushes it back to your container registry without any further input or code changes in your application. At launch, it supports applications written in Python, C, and C++.

To get started with converter service, you can use an example three-tier e-wallet application hosted here.

Out-of-the-box Intel® SGX applications

At initial delivery, Data Shield offers pre-converted Intel SGX® container images for VaultMySQLNginx, and Barbican. You can find the container images and their “getting started” documentation on the IBM Cloud public registry.

IBM Cloud container registry

Call to action

To request a demo, receive a Slack invite for Data Shield workspace, or ask any questions, please email shield1@us.ibm.com.

References:

More from Announcements

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Consulting augments expertise with AWS Competencies: A win-win for clients 

3 min read - In today's dynamic economic landscape, businesses demand continuous innovation and speed of execution. At IBM Consulting®, our unwavering focus on partnerships and shared commitment to delivering enterprise-level solutions to mutual clients have been core to our success.   We are thrilled to announce that IBM® has recently gained five competencies from Amazon Web Services (AWS) in vital domains including Cloud Operations, Internet of Things (IoT), Life Sciences, Mainframe Modernization, and Telecommunications. With these credentials, IBM further establishes its position as a…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters