For years, enterprises, government agencies, and SaaS providers have faced significant challenges in isolating, securing, and managing regulated data. The ongoing arms race to patch software vulnerabilities has proven ineffective, driving up costs and complexity without addressing the root problem: unauthorized access to sensitive data and code, and the manipulation of applications during processing by malicious actors. As a result, cloud projects, AI initiatives, and applications handling sensitive data are often stalled or restricted due to security and control concerns, slowing business innovation and growth.
Fortunately, a revolutionary hardware-based approach now addresses cyberattack risks at their core, providing immediate protection while ensuring full trust and control. Confidential computing enhances data security by encrypting information even during processing, shielding it from hackers, insiders, and cloud providers. This approach builds trust, ensures compliance with regulations like GDPR and HIPAA, and reduces legal exposure. Additionally, it facilitates secure data sharing and collaboration, unlocking new opportunities in AI, finance, and healthcare. By protecting sensitive data, businesses can drive innovation while mitigating security threats.
Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes, provides a trusted, comprehensive and consistent platform for developing, modernizing and operating applications at scale, including those powered by AI. Offering a robust suite of services, it enables organizations to drive innovation faster and deploy applications on the infrastructure that best suits their needs.
As more leading enterprises choose Red Hat OpenShift as their primary orchestration platform, the demand for more seamless integration of Confidential Computing within this environment continues to rise.
Anjuna Seaglass has been at the forefront of integrating Confidential Computing with container orchestration, starting with support for AWS Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).
We are thrilled to expand this capability with Google Cloud’s Confidential Computing technology, and announce the general availability for running Confidential Pods on Red Hat OpenShift on Google Cloud.
Protecting the data of your most sensitive Pods
When your application running in Red Hat OpenShift handles sensitive data, safeguarding it against malicious attacks is critical—whether the threat comes from a hypervisor administrator, an internal administrator or a newly discovered vulnerability that exposes a backdoor.
For a Pod managing sensitive data, encryption can protect the data when written to disk or transmitted over the network. However, data remains unencrypted while in use—in memory. This creates a vulnerability where an attacker with access to the node could dump the Pod’s memory and access its sensitive data.
The Anjuna Seaglass solution for Red Hat OpenShift allows Pods handling sensitive data to run inside a protected Trusted Execution Environment (TEE). This means that even individuals or software with administrative access to the Red Hat OpenShift node cannot access the data or code within a Confidential Pod. Furthermore, Anjuna Confidential Pods are shielded from direct access via Secure Shell (SSH) or exec commands, providing an additional layer of defense. This robust approach helps prevent potential exploits and offers more comprehensive protection for sensitive resources.
Harnessing the Power of Remote Attestation
Running sensitive Pods also involves the risk of exposing their initial secrets, when the pod secrets are located in the image or the Pod uses Kubernetes secrets which are stored in etcd. These secrets—such as database credentials or server TLS certificates—are essential for Pods to connect to other sensitive systems. A malicious human or software with cluster admin privileges or with read access to the node can retrieve these initial secrets, potentially gaining access to highly sensitive data.
When a workload runs within a TEE, it can generate an attestation quote, providing hardware-backed assurance of two critical aspects:
- Verification that the workload is executing within a TEE.
- Measurement of the software running inside the TEE.
These elements allow a remote client or server to validate that the workload is securely running in a TEE with the expected software version before granting it access to sensitive data.
Anjuna Confidential Pod unleashes the power of remote attestation. Secrets are delivered only to a Pod operating in a TEE and running a trusted version of the software. Unlike traditional Kubernetes methods, where cluster administrators can access secrets, remote attestation ensures that only the Confidential Pod itself can access its assigned secrets. Additionally, each Confidential Pod operates within an isolated TEE, ensuring that secrets remain exclusive to the specific Pod they are intended for.
A key feature of Anjuna Seaglass is the Anjuna Policy Manager, an attestation-aware secrets store. This tool ensures that secrets are delivered solely to trusted Confidential Pods based on their unique software measurements, providing unparalleled security for sensitive resources.
Certified by Red Hat
One key advantage of using Red Hat OpenShift as a container orchestrator is the support provided by Red Hat. For the best experience Red Hat recommends its customers deploy only certified solutions within their Red Hat OpenShift clusters.
The Anjuna Seaglass Toolset for Red Hat OpenShift is a Red Hat-certified solution, available as a Red Hat OpenShift Operator through Red Hat’s Operator Hub.
This enables more seamless integration for users to configure an existing Red Hat OpenShift cluster to deploy Confidential Pods.
Insights & Support from Our Partners
“Confidential Computing is a breakthrough technology that enables users to encrypt their data not only while at rest and in transit, but also while it’s being processed. We’re excited to collaborate with organizations like Anjuna to enable more customers to securely run sensitive workloads on Google Cloud’s Confidential Computing infrastructure. Red Hat OpenShift users on Google Cloud can now benefit from enhanced protection against malicious insiders—whether human or malware—ensuring greater data security and trust.” - Joanna Young, Senior Product Manager, Google
“As the average enterprise IT landscape continues to grow in complexity, keeping data and applications secure is a primary concern for organizations. Today, Red Hat OpenShift can be deployed in confidential virtual machines in Google Cloud. This provides a cluster-wide trust boundary. By collaborating with Anjuna, Red Hat OpenShift on Google Cloud users can now narrow the trust boundary to the Pod and more easily leverage Anjuna’s Confidential Computing capabilities, enabling them to benefit from an additional layer of defense when it comes to protecting sensitive workloads. - Kirsten Newcomer, Senior Director, Red Hat OpenShift and Security Product Management, Red Hat
With the introduction of support for running Confidential Pods on Red Hat OpenShift on Google Cloud, Anjuna continues to lead the way in delivering Confidential Computing solutions across diverse cloud platforms, on-premises environments, a variety of Confidential Computing technologies, and multiple runtime environments.
Our next focus will be on extending support for launching Confidential Pods on Red Hat OpenShift deployments running on-premises and across other cloud service providers.
Ready to explore our universal platform? Sign up for the Anjuna Seaglass free trial today!
Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.
Start Free