Posted by Andy Leiserson on November 5th, 2018
Today, we are taking the next step on our journey to bring Runtime Encryption® to the cloud. Earlier this year, we made early access to Runtime Encryption available in the IBM Cloud. Since then, we have been working with early access customers to learn more about how Runtime Encryption® can help them tap in to the powerful security protections of Intel® SGX. After incorporating their feedback, we are excited to announce the experimental release of IBM Cloud Data Shield, powered by Runtime Encryption.
As anticipated, the security and integrity properties of Intel® SGX have resonated well with our early access customers. The consistent feedback has been that enclave computing is powerful but not always easy. We have also learned that Fortanix® Runtime Encryption® makes it easier.
During our early access phase with IBM Cloud, we engaged with users from organizations of all sizes - large enterprises, startups, and academia - and from across the globe. The use cases that arose predominantly involve securing data-centric workloads such as Blockchain, AI/Machine Learning, Databases, and Analytics. We heard from primary users ranging from security architects and application developers, to DevOps engineers. Some languages of interest for use with Runtime Encryption® include Rust, Python, Go, and Java.
Early access customers noted that enclave computing has a steep learning curve. Customers confirmed that one of the challenges to operating within enclaves is the need to change, or sometimes rewrite, existing applications. Because modern cloud applications are highly interconnected microservices, they require extensions to the enclave security primitives. The Runtime Encryption® platform, which allows users to employ the security of enclave computing, without having to alter their applications, was clearly meeting a need.
The feedback we received from early access customers has helped us clarify the primary objectives of our Runtime Encryption® Platform. The over-arching objective is to deliver maximum protection of secure enclaves with minimum friction. Specifically, we are focused on enhancing enclave-based computing with the following design goals:
We are strengthening our partnership with IBM today with the launch of IBM Cloud Data Shield experimental. IBM Cloud Data Shield, powered by Fortanix Runtime Encryption, offers applications the protection of data in use. Runtime Encryption® enables a fundamentally new level of security and privacy, allowing organizations with highly sensitive workloads to operate in the cloud. Organizations can securely run data-centric workloads such as Blockchain and Artificial Intelligence, benefiting from the economies of scale of cloud computing.
With this milestone, we are introducing new and enhanced capabilities to the Runtime Encryption® platform, along with making it more seamless for users of IBM Cloud. The experimental milestone enables a more self-service consumption model in the IBM Cloud and represents a natural progression for the offering in the IBM Cloud. The offering delivers SGX as a service end-to-end. It leverages IBM IaaS, which now has SGX-enabled servers in 3 regions and is growing. It also integrates with IBM Cloud Kubernetes Service, delivering powerful PaaS services for application developers and DevOps. The Data Shield offering can be easily deployed using Helm Charts in the IBM Cloud. The offering consists of new and enhanced Runtime Encryption® components:
Once configured, you have flexible options to protect your applications in the cloud:
If you are interested in building a new application for SGX but prefer a different language option, then you will be happy to know that we are working on a Rust SDK, contact us for more information on this.
Over the past several months, we have analyzed multiple application patterns. Some of the common application patterns and use cases that can benefit from Runtime Encryption® in the cloud include:
Some of the common application design patterns that we are encountering are:
Three tier distributed applications. Each of the three tiers in the commonplace three tier architecture can benefit from the protection of Runtime Encryption. The frontend tier is sensitive because it sees all the data transferred to or from a client. Runtime Encryption® protects this data as it moves through the frontend server. Runtime Encryption® also protects the private keys associated with high-value client-facing TLS certificates, thus protecting a critical property of the application’s identity. The application tier benefits from Runtime Encryption® because it provides protection for both application data in use and for proprietary algorithms operating on the data. Finally, Runtime Encryption® provides the backend tier with protection for data at or near rest. Unlike some traditional encryption solutions for databases like Transparent Data Encryption (TDE), which only protects data that is fully at rest on persistent storage, Runtime Encryption® also protects data that is cached in memory by the database server. Three tier applications also benefit from secure communication between enclaves, discussed next.
To protect your application’s data in use with the Fortanix Runtime Encryption® platform in the cloud, get started with IBM Cloud Data Shield. To discuss your requirements with our experts, contact us or join our Runtime Encryption® slack community.
Get our blog updates in your inbox: