Protecting Sensitive Workloads and Key Material with Confidential Computing: Lessons from the Reported Oracle Breach

Protecting Sensitive Workloads and Key Material with Confidential Computing: Lessons from the Reported Oracle Breach
Mark Bower
Mark Bower
VP Product, Anjuna
Published on
Mar 28, 2025
Recent reports suggest that Oracle has suffered a breach involving authentication data related to SSO systems and compromise of Java Key Store (JKS) material, a critical security concern given that such key material is foundational for securing applications and sensitive data.
https://www.anjuna.io/blog/protecting-sensitive-workloads-and-key-material-with-confidential-computing-lessons-from-the-reported-oracle-breach

Introduction

Recent reports suggest that Oracle has suffered a breach involving authentication data related to SSO systems and compromise of Java Key Store (JKS) material, a critical security concern given that such key material is foundational for securing applications and sensitive data. This reported incident highlights the urgent need for stronger protection mechanisms, particularly through Confidential Computing and attestation to prevent unauthorized access to sensitive cryptographic assets and ensure tenant workloads are isolated from bad actors to neutralize sensitive code and data when attacks happen.

The Risk and Exposure

Besides the reported stolen hashed passwords which, if secured properly, should be resistant to brute force, the Java Key Store (JKS) files are another matter entirely and contain private keys, certificates, and other cryptographic secrets essential for application security. If compromised, attackers can use these keys and secrets to decrypt sensitive information, move laterally, impersonate trusted systems, or manipulate software integrity. The risk is exacerbated by the fact that such key material often resides in files AND traditional memory during use, making it vulnerable to theft through file theft as well as memory scraping, insider threats, and advanced malware attacks.

How Confidential Computing Mitigates the Risk

Confidential Computing is a security paradigm designed to protect data in use by leveraging Trusted Execution Environments (TEEs). These TEEs ensure that sensitive computations occur in an isolated, hardware-protected environment, shielding them from unauthorized access—even if the underlying system is compromised.

By utilizing Confidential Computing, organizations can:

  1. Ensure In-Memory Protection: Prevent key material from being exposed to untrusted memory spaces.
  2. Limit Insider Threats: Restrict access to cryptographic material even from privileged administrators or attackers with root access.
  3. Enhance Data Integrity: Secure applications against tampering and unauthorized code injection.
  4. Ensure that there is no exposure of secrets in files or other mechanisms, like environment variables, using a mechanism called Attestation to prove trust, and enable secure injection of secrets. Doing so means attackers can never get their hands on cleartext tokens, secrets, API keys certs and passwords - as exposed in the reported attack here.

The Role of Attestation in Secure Key Injection

A key component of Confidential Computing is attestation—a process that verifies the integrity and security posture of a TEE before injecting sensitive data, such as cryptographic keys. Through attestation, organizations can ensure that key material is only provisioned to an environment that meets predefined security policies, effectively mitigating the risk of unauthorized access. This ensures:

  • Only trusted code running within a verified TEE receives cryptographic material.
  • Secure boot and runtime integrity checks confirm the environment’s compliance.
  • Protection against unauthorized key exfiltration, even in the event of a system breach.

Making this trivially simple

Confidential computing can be traditionally hard to get right, especially attestation. Anyone that's tried to do this themselves often finds the complexity high, which is counterproductive to speed and agility. Anjuna Seaglass was built to address this and get workloads up and running in widely available confidential computing infrastructure in a few clicks and commands. If you’d like to try it, you can do so here. Think of it as slipping on new digital armor to workloads, AI models, sensitive code, data and systems to protect data in use using hardware-assisted methods that don’t impact performance. It’s designed to thwart even the toughest adversaries who routinely exploit software vulns to search and destroy.

Conclusion

The reported Oracle breach underscores the critical importance of protecting cryptographic assets and modern cloud workloads from exposure. Confidential Computing, coupled with attestation, provides a robust solution by ensuring that code, data and key material is only accessible within a secure, verifiable environment. As threats continue to evolve, organizations must prioritize these modern security mechanisms to safeguard their most sensitive data and maintain trust in their applications.

By integrating Confidential Computing, enterprises can not only mitigate the risk of key exposure but also establish a resilient defense against future cyber threats - and make privacy and data security compliance a lot simpler too for a triple win.

More like this
When the People’s Car Data Becomes the Attackers’ Car Data: Anatomy of a Data-in-Use Attack and How to Mitigate it
When the People’s Car Data Becomes the Attackers’ Car Data: Anatomy of a Data-in-Use Attack and How to Mitigate it
Apple is using Secure Enclaves to ensure AI privacy. Why aren’t you?
Apple is using Secure Enclaves to ensure AI privacy. Why aren’t you?
Hardening HashiCorp Vault the Easy Way with Anjuna Seaglass
Hardening HashiCorp Vault the Easy Way with Confidential Computing
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free
Industry Events
Attacks and Vulnerabilities
Secrets Protection