Data-in-use protection on IBM Cloud using Intel SGX

Share this post:

Business Challenge:

While external attacks outnumber internal incidents as causes of breaches, malicious internal incidents are on the rise – in 2017, 46% of internal attacks were malicious insider incidents. As businesses become data-driven, they understand data security and privacy are competitive differentiators [1].

However, in today’s data economy, networked and perimeter-based security models fall short of bringing true end to end data security. Security and risk (S&R) leaders are adopting Zero Trust architectural principles, using micro-perimeters and micro-segmentation making the data the new perimeter.

Figure 1: Data-in-use protection using Intel SGX

While today’s IAM, data-at-rest and in-transit solutions together tremendously help enterprises with data security, it is not an end-to-end solution without data-in-use protection.

Intel SGX:

Intel® Software Guard Extensions (Intel® SGX) is a technology that can protect data-in-use through hardware-based server security.  Intel SGX lets application developers protect select code and data from disclosure or modification. Intel® SGX uses enclaves, which are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use.

Intel SGX on IBM Cloud:

In December 2017, we announced our early access to Intel SGX based offerings. Today, Intel SGX bare metal servers are generally available across all regions on IBM Cloud. Take the following steps to provision SGX servers:

  1. Select “Bare Metal Server” from the IBM Cloud catalog for compute:

Figure 2: IBM Cloud Catalog for Compute

     2. Select other configuration options from the screen below:

Figure 3: Bare metal server configurations on IBM Cloud

     3. Select “Intel Xeon E3-1270 v6” configurations under single processor multi-core servers; select servers billed monthly.

Figure 4: Single processor server configurations

     4. Select “Software Guard Extensions” in the next screen:

Figure 5: System configuration options

Proceed to the next steps of your server configuration as you would for any other bare metal server. When you provision your server, it should have the SGX enabled in the BIOS. The provisioning may take several hours.

Installing Intel SGX driver and Platform Software(PSW):

After provisioning the server, and before running Intel SGX workloads, you need to install an Intel SGX driver and PSW (Intel SGX SDK is optional and meant for development purposes).

You can find the latest driver, PSW and SDK for your platform here or over here. Alternatively, you can also build and install from the github repository here.

Intel Software Guard Extensions installation Guide is located here.

Developing Intel SGX Protected Applications:

Intel SGX application consist of two parts: untrusted code and trusted enclave that it securely calls into. A developer can then create one-to-many trusted enclaves that work together to support distributed architectures. Common uses include key material, proprietary algorithms, biometric data, and CSR generation.

Developers can start with the following steps:

  1. Identify secure data that needs to be protected.
  2. Find the methods/functions that modify the secure data.
  3. Partition the code into trusted enclaves and untrusted code.

Figure 6: Application partitioning with Intel SGX [2]

At runtime, the Intel SGX instructions build and execute the enclave into a special protected memory region with a restricted entry and exit location, that’s defined by the developer. This prevents data leakage. Enclave code and data inside the CPU can be accessed only by the application’s untrusted component and enclave data written to disk is encrypted and checked for integrity [2].

Here’s a quick “Hello World” application demonstrating how trusted enclaves and untrusted code communicate.










Software Architect (Innovation)

More How-tos stories
April 24, 2019

How To Use IBM Cloud Object Storage with Veeam

As you may have heard, Veeam 9.5u4 now includes an integration with IBM Cloud Object Storage. This integration can result in up to 10x savings on long-term data retention and an overall reduction in IT and primary storage costs.

Continue reading

April 23, 2019

Introducing Private Service Endpoints in IBM Cloud Databases

We recently released an update to all IBM Cloud Databases which allows you to enable public and/or private service endpoints for your database deployments. In this post, we’ll walk you through the setup.

Continue reading

April 11, 2019

How to Automate TLS Certificate Rotation to Avoid Outages

In this post, we'll share how you can make sure you have end-to-end protection for data in transit without running into any TLS certificate expiry issues.

Continue reading