November 16, 2018 | Written by: Lei Zhang
Categorized: Blockchain | Compute Infrastructure | Security
Share this post:
iExec and IBM Cloud are extending the value of cloud through improved security
Over the past decade, the cloud has completely transformed the way businesses think about computing resources and application deployment. Modern cloud platforms enable enterprises to scale up and down on demand, turning computing into a highly flexible, pay-as-you-use-it utility. However, perceived security risks make some organizations cautious about moving to the cloud.
Empowered by the unique IBM Cloud approach to cloud security, iExec is extending the value of cloud by helping enterprises run even their most sensitive workloads on shared hardware at much lower risk.
Establishing a cloud-based marketplace built on more than trust
Many organizations have on-premises or cloud-based computing resources that are not in permanent use. At the same time, other organizations have short-term requirements for computing power. At iExec, our vision is to bring the two sides together and create a cloud-based marketplace for executing computations.
The goal is to enable organizations and individuals to share and monetize their computing resources and allow customers to find a convenient, cost-effective cloud infrastructure for running task-based workloads.
However, to do this, we first needed to resolve a major trust issue. Because some users could send sensitive data to be processed on a provider’s hardware, they need a guarantee that the provider can’t inspect, tamper with, or steal the data. In a classic cloud environment, such guarantees are provided by the high security of the provider’s data center and the rigorous contractual agreements between the two companies. Essentially, though, it all comes down to trust.
iExec permits customers to allocate tasks to providers without necessarily knowing or trusting those providers. To meet this requirement, we had to find a way to make it technically impossible for providers to gain any access to the data running on their machines.
The IBM approach to cloud is predicated on the concept of a zero-trust architecture, whereby the user has complete assurance that no one else can access their data. This philosophy was a perfect fit with our own, and so we certified IBM Cloud as one of the first cloud resource providers globally in the iExec marketplace.
Creating a secure, decentralized cloud
The iExec platform uses the Ethereum blockchain to create a market for decentralized cloud computing. Application providers, data providers, and resource providers can all contribute their services to the marketplace. Customers then choose the amount of compute resources they need, the application they want to run, and the data they want to process, and then they initiate the job.
The workload is then distributed and processed by the various providers, and iExec’s proof-of-contribution algorithms verify the result. If everything checks out, the transaction is confirmed and written to the blockchain.
The security of the platform as a whole is assured by the IBM zero-trust architecture. IBM is currently the only cloud provider that offers access to bare metal servers with Intel Software Guard Extensions (SGX) at data centers across all of its global regions.
SGX is a technology that creates an “enclave” within a system, which is capable of running applications that are completely isolated from the host machine. It’s designed to ensure that even a root-level administrator can’t access or tamper with the code and data running in this enclave. This means it’s safe to execute code on SGX-enabled servers, regardless of whether you trust the owner of the server.
Harnessing new solutions
We see the IBM Cloud implementation of SGX as a leader in the market, and we’re encouraging members of our community to work with IBM on developing applications that harness SGX to provide highly secure distributed cloud applications.
We’re also excited about IBM Cloud Data Shield, powered by Fortanix, a new solution that uses runtime encryption to enable developers to adapt their existing applications to take advantage of SGX instead of having to build them with SGX compatibility from the ground up. We are already using Data Shield directly on IBM Cloud Kubernetes Service.
As we continue to develop the iExec platform and bring new types of providers into our community, IBM Cloud and Intel SGX will play a key role in helping us reinvent cloud computing and unlock the benefits of distributed, decentralized computing resources for providers and customers even in the most highly regulated industries.
To learn more about enabling Intel SGX on IBM Cloud bare metal servers, read this blog post or learn more about IBM Cloud Data Shield.