How We Do It
Below are some frequently asked questions about Anjuna and runtime security for applications.
1. What is Anjuna Runtime Security?
Anjuna Runtime Security is software that uses CPU technologies including Intel® SGX to protect applications at runtime. Anjuna Runtime Security creates a trusted execution environment enabling enterprises to deploy any application securely in public and remote clouds. Anjuna Runtime Security requires no code modifications and integrates with existing DevOps processes. It removes the need to secure or patch the host, VM or container.
2. What is Intel® SGX? What are some of the use cases for Intel® SGX?
Intel® Software Guard Extensions (SGX) are extensions to the x86 architecture that allow applications to run in a completely isolated secure enclave. The application inside an SGX secure enclave is isolated from other applications running on the same system as well as from the host operating system and hypervisor. The secure enclave’s memory is encrypted to thwart physical attacks. Intel® SGX stores persistent data securely so that only the secure enclave can read it. SGX allows for remote attestation so you can prove to other parties that the application is running in a secure enclave.
3. What does Anjuna deliver on top of Intel® SGX?
Intel® Software Guard Extensions (SGX) are a set of features implemented in Intel® CPU hardware. Unlocking those features requires a software solution. Anjuna Runtime Security is software that unlocks and leverages the security richness provided by Intel® SGX. Anjuna Runtime Security allows any server application to run unchanged, and the remote attestation provided by Anjuna Runtime Security ensures that your application runs only on the host to which you assign it.
4. How does Intel® SGX work?
Intel® SGX uses memory isolation built into the processor combined with strong cryptography. The processor tracks which portions of memory belong to which secure enclave, and ensures that only enclaves can access their own memory.
5. Does Intel SGX require special hardware?
Processors supporting Intel SGX have been shipping since 2015. A list of hardware supporting SGX is available here and a list of processors supporting SGX can be found here.
6. Is infrastructure supporting Intel® SGX available from infrastructure as a service (IaaS) cloud service providers?
Processors supporting Intel® SGX have been shipping since 2015. The major cloud providers are in various stages of deploying infrastructure supporting Intel® SGX or similar features. Azure recently announced its Confidential Computing initiative to make SGX-capable infrastructure available to customers.
7. Why do enterprises deploy Anjuna Runtime Security rather than developing their own support for secure enclave technology?
Secure enclave technologies such as Intel® Software Guard Extensions (Intel® SGX) and AMD Secure Encryption Virtualization (SEV) technology provide essential building blocks for creating a trusted execution environment (TEE). Re-architecting an application to support a TEE can be time-consuming and complex, requiring specialized hardware and software knowledge. Anjuna Runtime Security provides a comprehensive, transparent, and manageable approach to TEEs and allows enterprises to focus on their core competencies. Anjuna enables existing applications to transparently run inside of TEEs from the major hardware providers, remotely attests the the integrity of the environment to validate that the expected code is running in the expected target environment.
8. What is data-in-use?
Data-in-use refers to the data stored in memory during application runtime. While encryption protects data-at-rest stored on disk, or data-in-motion using TLS/SSL while in transit, data-in-use is typically clear text. If such data is compromised, it can provide the encryption keys for data-at-rest or TLS/SSL certificates for data-in-motion.
9. What is a trusted execution environment (TEE)?
A TEE is a secure area of a processor. TEEs help to defend against attacks targeting underlying layers of the information technology stack below the application, including the operating system, hypervisor, drivers, and firmware, by providing specialized execution environments known as “enclaves” or “secure enclaves”. TEEs also address the risk of applications and data being compromised by a malicious insider or an unauthorized third-party.
10. What is remote attestation?
Remote attestation is a method by which a server authenticates it's hardware and software configuration to a remote client. The objective of remote attestation is to enable one system (verifier) to establish the integrity and confidentiality of another, remote system. Anjuna Runtime Security provides remote attestation so that your workload provably runs only in the secure environment that you designate.
11. What is Asylo and how does it relate to Anjuna Runtime Security?
Asylo is an open-source framework and software development kit (SDK) announced by Google for developing applications that run in trusted execution environments (TEEs). Asylo signals the importance of ensuring runtime security for applications and dovetails with Anjuna’s approach in ensuring runtime application security. Anjuna provides a complete solution for enterprises to run and manage existing and new applications in TEEs while Asylo provides a toolkit to application developers to consider for future application development.