Data-in-use Protection on IBM Cloud – IBM, Intel, and Fortanix partner to keep enterprises secure to the core

Share this post:

Cloud computing has made collecting, storing, and processing data easier and affordable than ever, but many risk-conscious organizations struggle on how to control, secure and protect data that is processed in a public cloud platform. The data protection needs of organizations are driven by concerns about protecting intellectual property, meeting compliance requirements, or navigating the ambiguity of legal protections for data in the cloud. These organizations see the need to independently retain ownership and control of their data.

Security best practices traditionally call for encrypting data-at-rest and data-in-motion, but the advent of cloud computing has created the need for data-in-use encryption as well. In fact, Identity Theft Resource Center (ITRC) anticipates that the number of breaches could reach 1,500 by the end of 2017, a 37 percent annual increase over 2016, when breaches reached a record high of 1,093.

The Cloud Security Alliance (CSA) recommends, “controls should be applied throughout the entire lifecycle (in transit, at rest and in use) to allow the customer to maintain control over the data while the [cloud service provider] hosts and processes it.” Therefore, the challenge now is how to protect data while it is in use?

Intel® Software Guard Extensions (Intel® SGX) is the only technology that can protect data in use through hardware based server security.  Intel SGX allows application developers the ability to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible using enclaves, which are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use.


Data-in-use Protection using IBM Cloud Data Guard


Today, Intel SGX application developers need to structure their application into trusted and untrusted parts, where trusted parts are executed inside the enclave. Project “IBM Cloud Data Guard”, powered by Fortanix Runtime Encryption Platform, offers easy to use and powerful services that accelerate application protection with Intel SGX enclaves. Fortanix platform transparently protects applications by creating a portable security envelope to run applications in completely protected states. We extend the reach and benefits of Intel SGX to application developers working in an agile environment, by integrating with their CI/CD systems.

Software development teams can leverage IBM Cloud Data Guard to convert their applications or containers to protected applications or containers capable to run in Intel SGX enclaves.


Integration of IBM Cloud Data Guard with Development Pipelines

Today, we are announcing IBM Cloud Data Guard Preview, supporting the following scenarios, so you can try and start building your protected applications:

  1. IBM Cloud SGX capable baremetal servers: You can provision SGX capable baremetal servers on IBM Cloud today (Model: Intel Xeon E3-1270-v6). You can start building your applications using the Intel SDKs for C/C++ or Fortanix RUST SDK.
  2. Curated Applications: You can pull curated protected applications, built using IBM Cloud Data Guard from our Docker private registry. We initially intend to host MySQL, Nginx, Forgerock OpenDJ, OpenStack Barbican, and software key managers.
  3. IBM Cloud Data Guard Preview Toolkit: Early access toolkit can convert your application container images to protected container images that runs your applications inside Intel SGX enclaves.

As part of our early access program, IBM provides access to a dedicated Kubernetes cluster pre-deployed on Intel SGX capable servers. Additionally, IBM will provide a three-tier – Nginx, Flask, MySQL – containerized “e-wallet” application for a test drive. “Intel applauds IBM’s focus on providing increased security for cloud applications”, said Jim Gordon, general manager of Platform Security Development at Intel Corporation.We are excited about the collaboration between IBM and Fortanix, which utilizes Intel® SGX to increase the security posture for end-users applications in the cloud.” To get started with IBM Cloud Data Guard, you can sign-up or write to

Software Architect (Innovation)

Karna Bojjireddy

More Security stories
May 6, 2019

Are You Ready for SAP S/4HANA Running on Cloud?

Our clients tell us SAP applications are central to their success and strategy for cloud, with a deadline to refresh the business processes and move to SAP S/4HANA by 2025. Now is the time to assess, plan and execute the journey to cloud and SAP S/4HANA

Continue reading

May 1, 2019

What’s Included in the IBM Cloud Developer Tools Version 2.2.0

I’m pleased to announce the latest version of IBM Cloud Developer Tools CLI, which contains some exciting new features.

Continue reading

May 1, 2019

Two Tutorials: Plan, Create, and Update Deployment Environments with Terraform

Multiple environments are pretty common in a project when building a solution. They support the different phases of the development cycle and the slight differences between the environments, like capacity, networking, credentials, and log verbosity. These two tutorials will show you how to manage the environments with Terraform.

Continue reading