IBM, Intel, and Fortanix partner to keep enterprises secure to the core
Cloud computing has made collecting, storing, and processing data easier and affordable than ever, but many risk-conscious organizations struggle on how to control, secure and protect data that is processed in a public cloud platform. The data protection needs of organizations are driven by concerns about protecting intellectual property, meeting compliance requirements, or navigating the ambiguity of legal protections for data in the cloud. These organizations see the need to independently retain ownership and control of their data.
Security best practices traditionally call for encrypting data-at-rest and data-in-motion, but the advent of cloud computing has created the need for data-in-use encryption as well. In fact, Identity Theft Resource Center (ITRC) anticipates that the number of breaches could reach 1,500 by the end of 2017, a 37 percent annual increase over 2016, when breaches reached a record high of 1,093.
The Cloud Security Alliance (CSA) recommends, “controls should be applied throughout the entire lifecycle (in transit, at rest and in use) to allow the customer to maintain control over the data while the [cloud service provider] hosts and processes it.” Therefore, the challenge now is how to protect data while it is in use?
Intel® Software Guard Extensions (Intel® SGX) is the only technology that can protect data in use through hardware based server security. Intel SGX allows application developers the ability to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible using enclaves, which are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use.
Data-in-use Protection using IBM Cloud Data Guard
Today, Intel SGX application developers need to structure their application into trusted and untrusted parts, where trusted parts are executed inside the enclave. Project “IBM Cloud Data Guard”, powered by Fortanix Runtime Encryption Platform, offers easy to use and powerful services that accelerate application protection with Intel SGX enclaves. Fortanix platform transparently protects applications by creating a portable security envelope to run applications in completely protected states. We extend the reach and benefits of Intel SGX to application developers working in an agile environment, by integrating with their CI/CD systems.
Software development teams can leverage IBM Cloud Data Guard to convert their applications or containers to protected applications or containers capable to run in Intel SGX enclaves.
Integration of IBM Cloud Data Guard with Development Pipelines
Today, we are announcing IBM Cloud Data Guard Preview, supporting the following scenarios, so you can try and start building your protected applications:
IBM Cloud SGX capable baremetal servers: You can provision SGX capable baremetal servers on IBM Cloud today (Model: Intel Xeon E3-1270-v6). You can start building your applications using the Intel SDKs for C/C++ or Fortanix RUST SDK.
Curated Applications: You can pull curated protected applications, built using IBM Cloud Data Guard from our Docker private registry. We initially intend to host MySQL, Nginx, Forgerock OpenDJ, OpenStack Barbican, and software key managers.
IBM Cloud Data Guard Preview Toolkit: Early access toolkit can convert your application container images to protected container images that runs your applications inside Intel SGX enclaves.
As part of our early access program, IBM provides access to a dedicated Kubernetes cluster pre-deployed on Intel SGX capable servers. Additionally, IBM will provide a three-tier – Nginx, Flask, MySQL – containerized “e-wallet” application for a test drive. “Intel applauds IBM’s focus on providing increased security for cloud applications”, said Jim Gordon, general manager of Platform Security Development at Intel Corporation. “We are excited about the collaboration between IBM and Fortanix, which utilizes Intel® SGX to increase the security posture for end-users applications in the cloud.” To get started with IBM Cloud Data Guard, you can write to firstname.lastname@example.org.
To learn more about confidential computing, which encrypts data during processing, see "What is Confidential Computing."