Data-in-use protection on IBM Cloud using Intel SGX

Share this post:

Business Challenge:

While external attacks outnumber internal incidents as causes of breaches, malicious internal incidents are on the rise – in 2017, 46% of internal attacks were malicious insider incidents. As businesses become data-driven, they understand data security and privacy are competitive differentiators [1].

However, in today’s data economy, networked and perimeter-based security models fall short of bringing true end to end data security. Security and risk (S&R) leaders are adopting Zero Trust architectural principles, using micro-perimeters and micro-segmentation making the data the new perimeter.

Figure 1: Data-in-use protection using Intel SGX

While today’s IAM, data-at-rest and in-transit solutions together tremendously help enterprises with data security, it is not an end-to-end solution without data-in-use protection.

Intel SGX:

Intel® Software Guard Extensions (Intel® SGX) is a technology that can protect data-in-use through hardware-based server security.  Intel SGX lets application developers protect select code and data from disclosure or modification. Intel® SGX uses enclaves, which are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use.

Intel SGX on IBM Cloud:

In December 2017, we announced our early access to Intel SGX based offerings. Today, Intel SGX bare metal servers are generally available across all regions on IBM Cloud. Take the following steps to provision SGX servers:

  1. Select “Bare Metal Server” from the IBM Cloud catalog for compute:

Figure 2: IBM Cloud Catalog for Compute

     2. Select other configuration options from the screen below:

Figure 3: Bare metal server configurations on IBM Cloud

     3. Select “Intel Xeon E3-1270 v6” configurations under single processor multi-core servers; select servers billed monthly.

Figure 4: Single processor server configurations

     4. Select “Software Guard Extensions” in the next screen:

Figure 5: System configuration options

Proceed to the next steps of your server configuration as you would for any other bare metal server. When you provision your server, it should have the SGX enabled in the BIOS. The provisioning may take several hours.

Installing Intel SGX driver and Platform Software(PSW):

After provisioning the server, and before running Intel SGX workloads, you need to install an Intel SGX driver and PSW (Intel SGX SDK is optional and meant for development purposes).

You can find the latest driver, PSW and SDK for your platform here or over here. Alternatively, you can also build and install from the github repository here.

Intel Software Guard Extensions installation Guide is located here.

Developing Intel SGX Protected Applications:

Intel SGX application consist of two parts: untrusted code and trusted enclave that it securely calls into. A developer can then create one-to-many trusted enclaves that work together to support distributed architectures. Common uses include key material, proprietary algorithms, biometric data, and CSR generation.

Developers can start with the following steps:

  1. Identify secure data that needs to be protected.
  2. Find the methods/functions that modify the secure data.
  3. Partition the code into trusted enclaves and untrusted code.

Figure 6: Application partitioning with Intel SGX [2]

At runtime, the Intel SGX instructions build and execute the enclave into a special protected memory region with a restricted entry and exit location, that’s defined by the developer. This prevents data leakage. Enclave code and data inside the CPU can be accessed only by the application’s untrusted component and enclave data written to disk is encrypted and checked for integrity [2].

Here’s a quick “Hello World” application demonstrating how trusted enclaves and untrusted code communicate.










More How-tos stories
January 18, 2019

IBM Cloud Kubernetes Service Supports containerd

For IBM Cloud Kubernetes Service clusters that run version 1.11 or later, containerd replaces Docker as the container runtime for Kubernetes.

Continue reading

January 18, 2019

Strategies for Building Multi-Region Apps

Enterprises seek to minimize downtime and create resilient architectures to achieve maximum availability. In order to help achieve those goals, we added a new tutorial to our collection of solution tutorials that highlights IBM Cloud's capabilities for building resilient solutions.

Continue reading

January 11, 2019

Deploying to IBM Cloud Environments with IBM Cloud Developer Tools CLI

Learn how to deploy applications to IBM Cloud and IBM Cloud Private environments using IBM Cloud Developer Tools CLI version 2.1.12.

Continue reading