Making AWS Nitro Enclaves easy for SaaS vendors with over 90% reduction in effort, cost, and time to market

Anjuna Making AWS Nitro Enclaves Easy for SaaS Vendors with over 90% reduction in effort, cost, and time to market
Ofir Azoulay-Rozanes
Ofir Azoulay-Rozanes
Director of Product Management
Published on
Jul 1, 2025
SaaS vendors are increasingly expected to safeguard customer data not just from external threats, but also from insider risks. Traditional software-based protections often fall short in meeting these rigorous security demands.
https://www.anjuna.io/blog/anjuna-making-aws-nitro-enclaves-easy-for-saas-vendors

Executive Summary

SaaS vendors are increasingly expected to safeguard customer data not just from external threats, but also from insider risks. Traditional software-based protections often fall short in meeting these rigorous security demands. Confidential Computing provides a hardware-based solution, offering strong data-in-use protection. However, deploying it—especially via AWS Nitro Enclaves—can be complex and require extensive application refactoring, particularly when Kubernetes (EKS) is involved.

Anjuna Seaglass simplifies the use of AWS Nitro Enclaves, enabling seamless deployment of workloads, including those on EKS, without requiring code changes or deep technical knowledge. This allows SaaS developers to focus on innovation and value delivery, while ensuring data remains protected—even from privileged insiders—thus reducing breach risk and liability.

Introduction

Cloud computing continues to evolve rapidly, but protecting data during processing remains a key challenge and regulatory requirement. Standards like PCI DSS, GDPR, and DORA emphasize the need for runtime data protection. With AI adoption rising and SaaS providers processing increasingly sensitive data, customers now demand stronger security guarantees to enable even more workloads to be outsourced. 

Another concern customers have when adopting a SaaS solution is the insider threat posed by malicious or compromised employees of the SaaS provider. Even if the system is fully protected against external attacks, an insider with administrative privileges to the server hosting customer workloads can still pose a serious risk. Such an individual does not need access to disk or network encryption keys—instead, they can potentially extract sensitive information simply by dumping the memory of a running process.

Recent breaches underscore these concerns:

SaaS enables the speed and scale that underpin innovation, but as these recent breaches prove that SaaS vendors must adopt stronger isolation mechanisms given the continued defeat of software controls, segmentation, and reliance on periodic risk assessment.

Confidential Computing: Strong Isolation Using Hardware

Confidential Computing addresses these challenges by enabling a hardware-backed isolated execution environment known as a Trusted Execution Environment (TEE) or Secure Enclave. In such environments, only the running application can access its memory in plaintext, protecting it from external attackers and internal threats alike.

AWS implements Confidential Computing through Nitro Enclaves, which isolate compute resources and protect sensitive workloads. This ensures that even privileged users cannot inspect the contents of the enclave’s memory. As a result, the SaaS vendor can process customers’ sensitive data within an Enclave, delivering value through its system while ensuring that no team member of the SaaS vendor can access the data, even with administrative privileges.

The Challenges of Using AWS Nitro Enclaves

While powerful, AWS Nitro Enclaves are notoriously complex to implement:

  • Re-architecture Required: Nitro Enclaves lack native support for networking and persistent storage, requiring developers to split applications into trusted/untrusted components and implement communication via VSOCK.
  • No Support for Binary-only Applications: Refactoring is only possible with access to source code. Binary-only applications can’t be re-architected for enclaves.
  • EKS Integration is Complex: Running enclaves in Kubernetes requires extensive changes to Pod specs, node configuration, and handling of lifecycle management, scaling, and monitoring.
  • Remote Attestation Complexity: Developers must learn to generate attestation quotes, integrate AWS KMS workflows, and modify apps to use decrypted secrets.
  • Performance Optimization Needed: Communication between EC2 and enclave via VSOCK can be a bottleneck, requiring custom tuning.

The outcome? Months of development and high costs, delaying time-to-market.

Figure 1 presents some of these complexities even for a basic application that does not require EKS support. When EKS is required, a DIY approach gets even more complex.

Figure 1. The steps needed to run a basic application in AWS Nitro Enclaves. Extending this to Kubernetes applications increases complexity significantly.

Anjuna Seaglass: Frictionless Nitro Enclaves Deployment

Anjuna simplifies Nitro Enclaves through its Seaglass platform, enabling rapid deployment without modifying source code or application architecture.

  • No Re-architecture Needed: Anjuna’s runtime allows any container to run in an enclave with networking and persistent storage support while maintaining strong memory isolation.
  • Binary-Only Application Support: No source code? No problem. Anjuna can run compiled binaries as-is within enclaves.
  • Seamless EKS Integration: Mark a Pod as Confidential in the spec, and Anjuna manages all enclave lifecycle tasks transparently.
  • Simplified Remote Attestation: Declare secrets needed in a config file; Anjuna handles attestation and KMS integration automatically.
  • Optimized Performance: Anjuna has built-in performance enhancements for running workloads inside Nitro Enclaves.

Figure 2 shows how easy it is to take an application inside a Nitro Enclave with Anjuna.

Figure 2

Accelerate Time-to-Market

With Anjuna, deployment times shrink from months to hours (for containers) or days (for EKS). Figure 3 compares the manual and Anjuna-accelerated development timelines for a complex application.

Figure 3. Development comparison for a complex application

Conclusion

Anjuna enables SaaS vendors to confidently secure sensitive workloads using AWS Nitro Enclaves without the traditional complexity. This drastically reduces implementation effort—by over 90%—and accelerates product delivery.

Ready to secure your SaaS workloads with minimal effort and maximum impact?

Start your free trial with Anjuna today. You can get up and running in minutes. This quick guide shows you how.

More like this
Enabling Confidential Red Hat OpenShift Workloads with Anjuna Seaglass on Google Cloud
Enabling Confidential Red Hat OpenShift Workloads with Anjuna Seaglass on Google Cloud
When the People’s Car Data Becomes the Attackers’ Car Data: Anatomy of a Data-in-Use Attack and How to Mitigate it
When the People’s Car Data Becomes the Attackers’ Car Data: Anatomy of a Data-in-Use Attack and How to Mitigate it
Confidential Computing Wrapped: Your Industry Update As We Enter 2025
Confidential Computing Wrapped: Your Industry Update As We Enter 2025
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free
AWS Nitro Enclaves
Anjuna Platform and Features