Regulations Mandating Data In Memory Protection Are On the Rise

Industry Security Agency, CISA
Mark Bower
VP Product, Anjuna
Published on
May 25, 2023
"Data in memory security" is a phrase that is increasingly appearing in new regulations and cloud computing security guidance worldwide.

"Data in memory security" is a phrase that is increasingly appearing in new regulations and cloud computing security guidance worldwide. In the United States, the top industry security agency, CISA, recommends techniques to protect data in memory in critical 5G infrastructure, where memory is vulnerable to attacks. In the European Union, the European Banking Authority (EBA), the top-level banking regulator, recently published guidance for outsourcing, including cloud services, and specifically emphasizes the need for "data in memory" protection to ensure data processing resilience. In the United Kingdom, the EBA guidance aligns with the Prudential Regulatory Authority's guidance for the financial services industry, which covers agents, banks, insurers, clearinghouses, and other entities, highlighting the importance of robust "data in memory" protection measures that are being enforced. Further jurisdictions like Singapore, through its regulator MAS, also impose requirements on businesses to safeguard sensitive data in memory. This emerging trend is gaining momentum, raising the question of why it is happening and what organizations can do to protect data in memory, with Confidential Computing being at the forefront of the recommended technologies.

The reason behind this regulatory shift is grounded in the risks associated with data in memory processing, the increasing reliance on outsourced (cloud) computing across all industries, and the need to ensure resilience of critical infrastructure operations. Traditionally, data protection has focused on securing data at rest and data in transit to prevent unauthorized access to memory sticks, drives, email, files, server storage, databases, and cloud storage. It goes without saying that storing or transmitting unencrypted data would instantly expose it to theft.

Working memory (RAM) has, unfortunately, lacked sufficient protection due to the inherent challenge of simultaneously encrypting data while allowing it to be readable by the CPU. In order for data to be processed or accessed by the CPU, it must be decrypted, which leaves it vulnerable in cleartext. Despite the awareness of these risks for some time, they have become particularly prevalent in the past decade, especially in the context of e-commerce credit card processing. Malware has been able to rapidly steal cardholder data as soon as it enters memory, causing significant concerns for Chief Information Security Officers (CISOs) in the retail and payment industry.

It is important to note that the risks associated with working memory extend beyond credit card data and encompass all code and data residing in memory. In modern cloud applications, an attacker with sufficient privileges to the infrastructure can extract memory contents, giving them access to a wide array of sensitive information, including keys, secrets, code, Personally Identifiable Information (PII), policy controls, and more. This comprehensive access opens the door to a multitude of potential attacks. Software-based solutions or tokenization of data in memory are insufficient in effectively addressing this issue. Even if data is tokenized or protected within software, the keys or token tables are often stored in memory and can be extracted for future unauthorized access to the data. Without robust hardware controls, such as those provided by secure enclaves, both software and memory remain vulnerable to manipulation and exploitation.

Adding to the complexity, numerous leading businesses are now shifting more workloads, Artificial Intelligence (AI), data lakes, and other applications to run primarily in memory to leverage its exceptional speed. While this transition can yield positive outcomes such as improved customer experiences, business agility, and personalized digital engagement to meet the demands of discerning consumers, it also introduces new risks that regulatory bodies are actively monitoring.

Here are several scenarios that highlight the risks associated with data in memory:

  • CISA has provided valuable guidance on risk reduction to ensure the overall security of the nation. In a recent report, CISA documented a red team attack on a large enterprise and highlighted memory attacks as a method to retrieve keys. By exploiting credentials stored in memory, the red team accessed multiple systems without triggering any alarms. This pattern is commonly observed: stealing credentials from memory, masquerading as privileged administrators, and ultimately gaining access to sensitive data and code. “The server administrator relied on a password manager, which stored credentials in a database file. The red team pulled the decryption key from memory using KeeThief and used it to unlock the database [T1555.005].“
  • The White House has issued guidance related to enhancing resilience in the nation's software supply chain. Hardware-based techniques, such as Confidential Computing and its Trusted Execution Environments (TEE), can play a vital role in addressing this issue by ensuring that only trusted code runs on trusted hardware with memory protection. This concept, known as attestation, mitigates the risk of unauthorized or tampered code infiltrating critical software supply chains, as was the case in the SolarWinds breach.
  • The NSA recently published guidance on transitioning to memory-safe programming languages. While this recommendation primarily aims to address vulnerabilities associated with languages like C and C++, where memory overflow and pointer errors are common vectors of exploitation, the ultimate solution lies in isolating memory through hardware-based protections. By confining memory-related issues within a secure hardware boundary, the risks can be effectively contained. It is clear that the NSA recognizes the risks associated with memory.
  • In the energy sector and embedded edge systems, nation-state attackers leverage specific malware, such as TRITON, to modify firmware and gain access to running memory. CISA has also recently documented such incidents, noting that TRITON malware modifies in-memory firmware in Triconex Tricon PLCs, enabling attackers to read, modify, and execute custom code while disabling the safety system. Memory attacks are not limited to enterprises but can occur across various sectors.
  • Within every enterprise, when applications crash and Linux memory core dumps occur, they often contain a wealth of sensitive data. This can include API credentials used to access critical devices such as Cryptographic Hardware Security Module (HSM) APIs, short-lived keys utilized for transaction signing or data encryption, personally identifiable information (PII), and other sensitive data that passes through the system's memory. While core dumps serve an important purpose in diagnosing issues, they also present a significant risk (e.g., MITRE attack T1103) if they end up in the wrong hands. Alarmingly, generating a memory dump file is a straightforward process, and attackers can invoke simple Linux commands like "gcore" to capture the contents of memory, thereby exposing the sensitive code and data that were previously stored in memory.

So, how can enterprises stay ahead of the growing regulatory pressure and effectively mitigate these risks? I recently came across the UK Government's National Cyber Security Centre (NCSC), and they have caught my attention with their focus on data in memory protection and comprehensive guidance.

I highly recommend reviewing the NCSC’s Cloud Security Guidance. It's a great read that thoroughly discusses the risks, mitigations, and specifically highlights the benefits of Confidential Computing for ensuring integrity, confidentiality, and data in memory protection.

Below, I have quoted some sections that caught my attention and directly address the vulnerabilities we've been discussing. The NCSC, similar to CISA in the US, serves as the UK Government's National Cyber Security Center and offers invaluable advice on dealing with modern cyber threats. Their guidance on protecting data in the cloud or on outsourced service providers' platforms is worth noting:

"Encryption of all data in an application

The service provider may implement data encryption inside an application such as a database. Data should be encrypted using well-configured, appropriate algorithms and assessed against standards, as described above.

Relying on application-level encryption usually leaves traces of unencrypted data when the data is accessed or processed, such as in memory pages and application logs. Any application-level encryption should be combined with physical media encryption.

Encryption of data in memory

The service provider may use hardware that encrypts the memory of a virtual machine, or service, while it is running. For more information, see Confidential computing. This technique is most valuable in cases where you have been unable to gain sufficient confidence in a service provider’s physical security, or their associated operational procedures and governance. The benefits and use cases of such hardware-backed enclaves are discussed in our separation guidance." 1

The NCSC also provides an excellent summary of the benefits of Confidential Computing. I highly encourage readers to explore the provided links, but here's a snippet to give you an idea:

"Confidential computing

Cloud platforms built on supporting hardware can apply defence-in-depth measures to a customer’s service running in the cloud. Some will reduce the attack surface area, others will mitigate specific attacks.

Depending on the service you are using, implementations will be designed to either apply additional defenses to an entire virtual machine, or a secure enclave within a virtual machine that can only be accessed using tightly defined interfaces.

The benefits of services described as implementing enclaves or confidential compute can include:

  • securely decrypting data in an isolated environment by closely integrating with key management services and using the hypervisor as a root of trust
  • heavily reducing the attack surface of an application by removing unnecessary functionality, such as device drivers
  • increasing isolation between a workload and its compromised host machine
  • increasing isolation between a workload and a malicious administrator logged into its host machine
  • verifying that your workload is running on a specific type of server with a known hardware profile, including whether it is hosted by a specific cloud provider
  • verifying the integrity of the underlying hardware and its firmware
  • verifying that a workload has not changed from a known-good baseline
  • enforcing a code signing policy so that only code that you have authorised and signed can run
  • encrypting all of the memory used by your workload inside the host’s processor, so that it cannot be accessed by the hypervisor, or an administrator that has physical or programmatic access to the hypervisor
  • implementing a virtual hardware security module (such as a virtual TPM) that is cryptographically bound to the workload, and can generate and store keys, secrets and boot measurements in a way that is not accessible by the hypervisor
  • attesting any of the above to a remote service" 2

Great advice and benefits indeed! NCSC, however, also cautions that implementing Confidential Computing to reap these benefits can be complex and challenging. According to the NCSC, it may be necessary to develop a bespoke application to fully leverage the advantages of Confidential Computing. They recommend considering the extra complexity and ensuring it aligns with your specific threat model and application requirements.

Fortunately, a solution like Anjuna Confidential Computing Platform addresses these challenges head-on, making Confidential Computing accessible and scalable. With just a simple command line, you can instantly deploy your application in a confidential computing environment in the cloud, enjoying features such as memory protection, integrity, attestation, trust, and high performance. The best part is that with Anjuna, you don't need to modify your application to benefit from Confidential Computing technology.

If you're a CIO or CISO and your teams are concerned about the noted attacks or the growing regulatory pressure to safeguard data in memory, fret no more. Anjuna effectively addresses these challenges with a remarkably simple process. By embracing confidential computing, you can significantly reduce risk while confidently harnessing the power of the cloud to process even the most highly regulated, high-liability, and highly sensitive code and data.

[#references]To learn more about Anjuna and its capabilities, consider the following options:[#references]

  1. NCSC - Asset protection and resilience
  2. NCSC - Technically enforced separation in the cloud
More like this
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free