Data-in-use protection on IBM Cloud using Intel SGX
While external attacks outnumber internal incidents as causes of breaches, malicious internal incidents are on the rise – in 2017, 46% of internal attacks were malicious insider incidents. As businesses become data-driven, they understand data security and privacy are competitive differentiators .
However, in today’s data economy, networked and perimeter-based security models fall short of bringing true end to end data security. Security and risk (S&R) leaders are adopting Zero Trust architectural principles, using micro-perimeters and micro-segmentation making the data the new perimeter.
Figure 1: Data-in-use protection using Intel SGX
While today’s IAM, data-at-rest and in-transit solutions together tremendously help enterprises with data security, it is not an end-to-end solution without data-in-use protection.
Intel® Software Guard Extensions (Intel® SGX) is a technology that can protect data-in-use through hardware-based server security. Intel SGX lets application developers protect select code and data from disclosure or modification. Intel® SGX uses enclaves, which are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use.
Intel SGX on IBM Cloud:
In December 2017, we announced our early access to Intel SGX based offerings. Today, Intel SGX bare metal servers are generally available across all regions on IBM Cloud. Take the following steps to provision SGX servers:
Select “Bare Metal Server” from the IBM Cloud catalog for compute:
Figure 2: IBM Cloud Catalog for Compute
2. Select other configuration options from the screen below:
Figure 3: Bare metal server configurations on IBM Cloud
3. Select “Intel Xeon E3-1270 v6” configurations under single processor multi-core servers; select servers billed monthly.
Figure 4: Single processor server configurations
4. Select “Software Guard Extensions” in the next screen:
Figure 5: System configuration options
Proceed to the next steps of your server configuration as you would for any other bare metal server. When you provision your server, it should have the SGX enabled in the BIOS. The provisioning may take several hours.
Installing Intel SGX driver and Platform Software(PSW):
After provisioning the server, and before running Intel SGX workloads, you need to install an Intel SGX driver and PSW (Intel SGX SDK is optional and meant for development purposes).
Intel Software Guard Extensions installation Guide is located here.
Developing Intel SGX Protected Applications:
Intel SGX application consist of two parts: untrusted code and trusted enclave that it securely calls into. A developer can then create one-to-many trusted enclaves that work together to support distributed architectures. Common uses include key material, proprietary algorithms, biometric data, and CSR generation.
Developers can start with the following steps:
Identify secure data that needs to be protected.
Find the methods/functions that modify the secure data.
Partition the code into trusted enclaves and untrusted code.
Figure 6: Application partitioning with Intel SGX 
At runtime, the Intel SGX instructions build and execute the enclave into a special protected memory region with a restricted entry and exit location, that’s defined by the developer. This prevents data leakage. Enclave code and data inside the CPU can be accessed only by the application’s untrusted component and enclave data written to disk is encrypted and checked for integrity .
Here’s a quick “Hello World” application demonstrating how trusted enclaves and untrusted code communicate.