In my last post, I talked about how and why we formed the company. I discussed how we came face-to-face with the computing flaw at the heart of virtually every modern data breach, and we introduced new features within modern CPUs that resolve that flaw. Since that post, Google announced they will also be supporting secure enclaves expanding industry support for this technology.
Now I want to talk about the opportunity this new secure enclave technology presents to you as a security professional. In the process, I hope you’ll get a clearer idea of our vision—where true data security allows enterprises to go and what this might enable for them.
Today, users who have either physical or electronic access to a machine implicitly gain access to data. Like a modern Willie Sutton, hackers target specific computers because that’s where the data is. If they can access the computer, they can get to memory and expose the data they want to steal.
With the arrival of secure enclave technology, that vulnerable connection between machine access and data no longer exists. All data, including code, is encrypted within the enclave and rendered unaddressable by other machine processes or users. For all intents and purposes, the data is untethered from the device—it is only visible within the context of the enclave.
The implications are significant:
Data is secure everywhere it is used. With this level of isolation, data get the same hardware-grade protection on premise, in the cloud, in hostile and untrusted environments—everywhere. Azure, Baidu, Alibaba and other services already support enclave technologies. That means if you need to operate in untrusted environments, you can do so without the risk of losing data.
Bad actors can’t see or use secured data. Enclave technologies create something like a cloaking device around data. No one can see that data—even if they gain physical access to a machine, or the operating system or container are compromised. Hardware-grade encryption means that even if someone manages to get a hold of the data, they can’t actually see it.
Operations insiders are no longer exposed to data—ever. That’s because they’re cryptographically isolated from the data. As a result, compliance is simplified, since enclave data protections provably assure that they can’t see sensitive protected data. Today, insiders are overexposed to data, because they gain physical or root access to the machines they manage. They don’t necessarily want data access, but they’re assumed to have it. This overexposure puts the organization at significant risk. Not all insider breaches are malicious—some happen accidentally when a server is exposed via compromised credentials , for example—but they do happen regularly.
High security becomes baked into the infrastructure. Normally strong security protections imply high operational friction. But with secure enclaves, operations staff work without data exposure risk. Organizations such as hosted service providers can actually prove as much to auditors—virtually eliminating liability.
All data and applications can be protected by default. Protecting data is a good thing. But protecting only important data reveals which data is important and where hackers should focus. Isolating and encrypting all data, similarly to what was achieved with the introduction of TLS, improves overall security posture by not signaling which data is important to bad actors .
Software-based security becomes redundant. Storage encryption, privileged access management, and other layered security solutions become unnecessary or greatly simplified. With the risk of data exposure eliminated, security processes intended to shield IT staff can be virtually eliminated as well.
Data security becomes an implicit and transparent service of the infrastructure, not a software service layered on top of it. This greatly simplifies IT and even application development efforts. Once data security is assumed, there’s no longer a need to code security into the application, or add a software security layer on top. You’ll get more secure software out faster.
It enables a zero-trust hardware foundation. Zero trust is a great idea, but when implemented in software, it falls to the same memory and security weaknesses of all software. Enclave technology itself implements zero trust by isolating data, allowing only explicitly governed access, and providing continuous oversight of use. This enables IT to create a zero trust foundation that data secures higher-level zero trust solutions. But more importantly it creates a root from which all software can be verified, trusted and uniquely identified.
Enclaves help close the data in use exposure gap in existing security software. Security software will always still be software. Software keys normally exposed in memory can be secured within an enclave, where they cannot be accessed. Some vendors, including Anjuna, are working with companies like Redis, Hashicorp, and Microsoft to create highly secure versions of their popular software and services.
Potential mass mitigation of vulnerabilities. Most companies have hundreds of thousands of vulnerabilities that increase their cyber risk. Enclaves establish a tight and impenetrable hardware-grade secure perimeter around data that renders most host, operating system, and network vulnerabilities irrelevant. With application and data enclaving, there is less of a need to care about or patch infrastructure vulnerabilities to protecting the data itself.
Cybersecurity will look very different a few years from now due to this technology. While it’s hard to imagine all the impacts enclave technology will have , we do know there’s a substantial opportunity for IT professionals to greatly improve their business security posture . Without public key infrastructure, which was the last big technology shift, you wouldn’t have security on the Internet, and thus companies like Amazon wouldn’t exist.
What will enclaves enable? This points to an exciting future where the world no longer needs to think about data security—where data breaches are no longer an eventuality but a vague memory. It also opens up a host of new business opportunities and advantages that will take enterprises where they’ve never been before. Subscribe to our blog and check our website regularly. The future is approaching at warp speed.