Government agencies occupy a unique position when it comes to protecting data. Unlike private enterprises, which include proprietary ownership, profitability and competitive advantage in their goals, a government agency is responsible for safeguarding public safety and continuity. This mission relies heavily on securing the integrity of data; in other words, the stakes couldn’t be higher.
For government agencies, moving to the cloud transcends optimizing revenue and calculating cost versus risk. Lives and national security are on the line; nation-state adversaries are poised to detect and exploit vulnerabilities. International economic viability also depends on the impregnability of systems and sensitive data. And, as always, a government agency is responsible to the public for wise allocation of often limited funds.
Along those lines, the high cost of on-premises infrastructure is a major economic factor impelling government agencies to embrace the superior scale, economy, agility, and efficiency of the public cloud. For agencies, siloed data infrastructure and data sprawl often challenge smooth cloud migrations and also raise the issue of duplicated data that can send cloud costs spiraling.
But security is the most intense concern for public agencies when moving vital workloads across the cloud. Data migration can be a high-risk process with numerous vulnerabilities, including incomplete data migration, corrupt or missing files, accidents, phishing, malware, or ransomware.
Confidential computing is a new technology that takes on the persistent Hard Question of how to secure data in the public cloud. This hardware-based innovation is founded on a new architectural approach that isolates data and execution within a secure space on a system. It uses a section of the CPU as a sanctuary or enclave, relying on virtualization to create a Trusted Execution Environment (TEE).
Why does this approach solve the Hard Question? While data is usually encrypted at rest and in transit, it must also be protected while in use (being processed). Confidential computing does just that; it encrypts memory within the enclave with a key unique to the CPU and the application. Only at that location can data be decrypted.
This way, the data attack surface at the cloud provider level no longer offers access to a potential threat actor. Even should a threat actor gain root access to the system, they are still incapable of reading the data. And these controls extend across the entire landscape of data exposure, whether storage, over the network, or in multiple clouds. Data encryption and resource isolation protect all of the fundamental elements of IT—compute, storage, and communications.
Confidential computing enables:
Thus, Confidential Computing offers exclusive data control and hardware-grade minimizing of data risk by making protection inseparable from the data itself. Eliminating data vulnerability enables a new, secure hosted IT infrastructure founded on the secured public cloud.
Now, applications and even whole environments can work unmodified within the isolated private environment on public cloud infrastructure. The data owner is in exclusive control of the data anyplace it is stored, transmitted, or used. Thanks to the massive capabilities of today’s computer processors, a server can encompass up to 1 TB of enclave memory—enabling an entire application, database or transaction server to fit within the secure enclave.
Needless to say, the nation of Israel has a powerful interest in safeguarding its territory and citizens from nation-states and other would-be attackers. The country exemplifies many of the risks that all government sector agencies face in their mission of keeping national data secure and confidential. Besides defense, public agencies face a host of additional challenges in critical missions spanning establishing citizen identity, interdicting crime, overseeing compensation to government vendors, and more.
Israel’s MOD bears the responsibility of safeguarding the nation of Israel, including overseeing Israeli security forces and the Israeli Defense Forces (IDF). Before selecting Anjuna as its vendor, the MOD thoroughly studied and evaluated Anjuna Confidential Computing software. Using compute-intensive AI workloads, they tested Anjuna’s ability to secure against rogue or accidental insiders, third parties, criminal hackers, and nation-states.
Additionally, they verified that Anjuna was commercially available, capable of running across diverse cloud platforms, and able to simplify both migration of applications and overall administration.
The Anjuna Confidential Computing software provides a single, uniform encryption platform that protects data in all three states: storage, transit, and execution. That means agencies needn’t rely on diverse encryption schemes for each application and system, which causes complexity and potential confusion. Anjuna also eliminates the risk of exposing encryption keys during runtime by means of a consistent data perimeter.
Anjuna leverages powerful hardware-based, secure computing technologies to enable the Israeli MOD to utilize the public cloud as a trusted environment. Israel can now secure its sensitive data—without modification—across all applications, whatever their size or computational task. This includes state secrets, AI code, intelligence and security details, personally identifiable information (PII), financial information, and intellectual property. The trust of the MOD is a major leap forward for governmental agencies, demonstrating that they can now safely run their most sensitive workloads in the public cloud and benefit from the economies and efficiencies it offers.