Data-in-use protection on IBM Cloud using Intel SGX

Share this post:

Business Challenge:

While external attacks outnumber internal incidents as causes of breaches, malicious internal incidents are on the rise – in 2017, 46% of internal attacks were malicious insider incidents. As businesses become data-driven, they understand data security and privacy are competitive differentiators [1].

However, in today’s data economy, networked and perimeter-based security models fall short of bringing true end to end data security. Security and risk (S&R) leaders are adopting Zero Trust architectural principles, using micro-perimeters and micro-segmentation making the data the new perimeter.

Figure 1: Data-in-use protection using Intel SGX

While today’s IAM, data-at-rest and in-transit solutions together tremendously help enterprises with data security, it is not an end-to-end solution without data-in-use protection.

Intel SGX:

Intel® Software Guard Extensions (Intel® SGX) is a technology that can protect data-in-use through hardware-based server security.  Intel SGX lets application developers protect select code and data from disclosure or modification. Intel® SGX uses enclaves, which are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use.

Intel SGX on IBM Cloud:

In December 2017, we announced our early access to Intel SGX based offerings. Today, Intel SGX bare metal servers are generally available across all regions on IBM Cloud. Take the following steps to provision SGX servers:

  1. Select “Bare Metal Server” from the IBM Cloud catalog for compute:

Figure 2: IBM Cloud Catalog for Compute

     2. Select other configuration options from the screen below:

Figure 3: Bare metal server configurations on IBM Cloud

     3. Select “Intel Xeon E3-1270 v6” configurations under single processor multi-core servers; select servers billed monthly.

Figure 4: Single processor server configurations

     4. Select “Software Guard Extensions” in the next screen:

Figure 5: System configuration options

Proceed to the next steps of your server configuration as you would for any other bare metal server. When you provision your server, it should have the SGX enabled in the BIOS. The provisioning may take several hours.

Installing Intel SGX driver and Platform Software(PSW):

After provisioning the server, and before running Intel SGX workloads, you need to install an Intel SGX driver and PSW (Intel SGX SDK is optional and meant for development purposes).

You can find the latest driver, PSW and SDK for your platform here or over here. Alternatively, you can also build and install from the github repository here.

Intel Software Guard Extensions installation Guide is located here.

Developing Intel SGX Protected Applications:

Intel SGX application consist of two parts: untrusted code and trusted enclave that it securely calls into. A developer can then create one-to-many trusted enclaves that work together to support distributed architectures. Common uses include key material, proprietary algorithms, biometric data, and CSR generation.

Developers can start with the following steps:

  1. Identify secure data that needs to be protected.
  2. Find the methods/functions that modify the secure data.
  3. Partition the code into trusted enclaves and untrusted code.

Figure 6: Application partitioning with Intel SGX [2]

At runtime, the Intel SGX instructions build and execute the enclave into a special protected memory region with a restricted entry and exit location, that’s defined by the developer. This prevents data leakage. Enclave code and data inside the CPU can be accessed only by the application’s untrusted component and enclave data written to disk is encrypted and checked for integrity [2].

Here’s a quick “Hello World” application demonstrating how trusted enclaves and untrusted code communicate.










More How-tos stories
August 13, 2018

CI/CD Pipeline for OpenWhisk Functions Using Whisk Deploy

The article presents a technique for developing a CI/CD pipeline in IBM Cloud for OpenWhisk functions using Whisk Deploy configuration cataloged in GitHub.

Continue reading

August 8, 2018

Creating A Microservice Data Lake With IBM Cloud Object Storage and IBM SQL Query

Is your application's data a stream trickling into a puddle or a rising tide overwhelming the levees? Either way, IBM has you covered with tools to store, retrieve, query, and gain insights from data of any size.

Continue reading

August 2, 2018

Connecting to IBM Cloud Object Store in Kubernetes

Operationalizing IBM SQL Query: Part 2. In this article, we'll take a look at the best practices for connecting to IBM Cloud Object Storage from docker containers deployed in the IBM Cloud Kubernetes Service.

Continue reading