Organizations that rely solely on traditional security controls, such as encryption for data at rest and in transit, when moving workloads to the cloud are at risk. A major vulnerability is data in use, which refers to data being processed and stored in memory. This data can be viewed or modified by anyone with access to the infrastructure, including malware, insiders, and even cloud operators. This risk is magnified in cloud environments where enterprise customers have limited control over the employees and contractors of their IT cloud providers. The threat from trusted insiders can also exacerbate the security risks of cloud computing due to its widespread use and large scale. Insiders, with host access to carry out their jobs, can potentially access and compromise host data, making just one bad actor a significant risk to the entire organization.
How vast is the challenge?
Today, cloud workloads are often operated in memory to increase speed and reduce latency. This means that the risk of data breaches and the attack surface are both increasing for Kubernetes applications and in-memory databases. In these environments, keys, secrets, sensitive data and code, and intellectual property such as AI models are vulnerable and unprotected in memory. An insider, malicious application, or exploited OS code with admin access can dump the memory and steal this data. According to data from Google and Microsoft, 70% of breaches start in memory with a direct attack. If an attacker obtains keys, they can decrypt data at rest or in transit, making this security gap particularly dangerous.
Confidential Computing is a new approach to data security that protects against threats that traditional software-only security tools cannot keep up with. The technology protects data in use by isolating data and performing computations in a hardware-based Trusted Execution Environment (TEE), a secure part of the processor. All major cloud providers and leading chipset vendors have embraced this paradigm and offer various implementations.
As explained by the Confidential Computing Consortium, a hardware-based approach is necessary because existing security mechanisms can be compromised by a breach at lower layers of the compute stack, such as the operating system or hypervisor. To prevent this, security should be implemented at the lowest layers of hardware: the silicon. Doing so removes a number of entities - such as the operating system, device drivers, cloud providers, and admins - an organization must trust, reducing exposure to potential compromise.
Confidential Computing protects workloads by encrypting code and data in memory via the CPU, the most atomic hardware unit, and isolating them from potentially vulnerable infrastructure. Special hardware on the chipsets decrypts the code and data from memory, allowing for secure computing within a trusted ecosystem. This allows for easy scaling of applications while maintaining performance. Hardware and strong cryptography ensure the trust and integrity of the workload, allowing entire applications to run fully protected within a secure enclave. If an attacker tries to access data in memory, they will either have no visibility or will only be able to acquire encrypted data, which is useless.
Anjuna Unlocks Confidential Computing
Confidential Computing has the potential to revolutionize the way organizations handle sensitive data, but it often requires significant time and effort to adapt applications to take advantage of it. Anjuna has developed a solution that eliminates the need to modify application code when implementing Confidential Computing, making it accessible to any organization. Anjuna has built on its expertise in cryptography to make Confidential Computing practical and user-friendly, similar to how VMware made virtualization easy to use.
The Anjuna Confidential Computing Platform helps enterprises create high-trust environments in the cloud where data is always encrypted and code is verified for authenticity. With Anjuna, workloads remain confidential and trusted during execution, allowing organizations to embrace the cloud and innovate without the threat of attackers or insiders accessing or altering code or data. Unlike other data security solutions, Confidential Computing is based on chip hardware, which provides substantially higher levels of trust, integrity, and security. Anjuna allows enterprises to leverage these properties through its platform to protect applications with minimal performance impact. Using Anjuna, enterprises can secure all aspects of data, memory, storage, networks, and cloud instantly, without needing to recode their applications. Additionally, Anjuna supports multi-cloud and hybrid environments and does not require specialized skills to deploy or run, making it flexible and easy to use.
Conclusion
Confidential Computing offers a promising solution for tech leaders looking to secure sensitive workloads in the cloud. With traditional security controls proving inadequate in protecting against data breaches, Confidential Computing addresses the vulnerability of data in use by isolating data and performing computations in a hardware-based TEE. Anjuna’s innovative approach not only reduces exposure to potential compromise but also makes it easier for organizations to secure their sensitive data without the need to modify application code. Companies that take advantage of this technology will be well-positioned to protect their assets, maintain compliance, and secure their business operations in a rapidly evolving digital landscape.
Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.
Start Free