Frequently Asked Questions

Here are a few frequently asked questions about Anjuna and secure enclaves.

What are Anjuna Enterprise Enclaves?

Anjuna Enterprise Enclaves offer a software solution that leverages CPU features, such as Intel® SGX and AMD SEV to protect applications by leveraging hardware-level encryption. Anjuna Enterprise Enclaves create a trusted execution environment (TEE), enabling enterprises to execute any application with absolute security, anywhere--locally, or in public and remote clouds. Anjuna software enables hardware-based enclaves by providing full stack protection for data and applications, as well as enterprise-class deployment and management functionality.  Anjuna Enterprise Enclaves secure applications in seconds without SDKs or code modification, enabling security that is transparent to existing DevOps processes. With Anjuna, there’s no need to secure or patch the host, VM, or container.

What is Intel® SGX? 

Intel® Software Guard Extensions (SGX) is a set of CPU instructions that increase the security of application code and data, offering more protection from disclosure or modification. The application inside an SGX enclave is isolated from other applications running on the same system, as well as from the host operating system and the hypervisor. A secure enclave’s memory is encrypted to thwart physical attacks. Intel® SGX provides access to encryption keys that enable storing persistent data securely, so that only a secure enclave running a specific application can read it. SGX also enables remote attestation to prove to other parties that the application is running in an enclave on genuine Intel® hardware, updated with the latest microcode to ensure security.

Does Intel SGX require special hardware?

Processors supporting Intel® SGX have been shipping since 2015. A list of hardware supporting SGX is available here.

What is AMD SEV?

AMD Secure Encryption Virtualization (SEV) is AMD’s hardware-accelerated memory encryption technology for protecting data in-use. It enables encrypting the memory of an entire virtual machine, relying on an encryption engine embedded into the memory controller, and a secure processor for key-generation and management, both part of the SOC.

Does AMD SEV require special hardware?

SEV technology is available on AMD Epyc processors, which have been shipping since 2015. A list of hardware and processors supporting SEV can be found here.

What does Anjuna deliver on top of Intel® SGX and AMD SEV?

Intel® Software Guard Extensions (SGX) and AMD SEV are each a set of features implemented in CPU hardware. Unlocking those features requires a software solution. Anjuna Enterprise Enclaves software unlocks and leverages the security richness provided by Intel® SGX and AMD SEV.  Anjuna’s “lift and shift” approach allows any server application to run unchanged in a CPU-based secure enclave. Anjuna also provides additional features required to run secure enclaves, such as remote attestation, which ensures an application runs only on the host to which you assign it. 

What features does Anjuna provide for enterprise deployment?

Anjuna Enterprise Enclaves work in high availability and disaster recovery scenarios. They scale in the cloud, allow access to files and applications running on different machines, and make it simple to easily update applications, firmware, and hardware. Anjuna also offers options to protect security and business continuity by integrating with existing key management solutions.

Is the infrastructure required to support enclaves currently available from infrastructure-as-a-service (IaaS) cloud service providers?

Processors supporting Intel® SGX and AMD SEV have been shipping since 2015. The major cloud providers are all in the process of deploying infrastructure supporting Intel® SGX, AMD SEV or similar features. Microsoft Azure confidential computing makes SGX-capable infrastructure available to enterprises today. The new Nitro Enclaves from AWS (expected later in 2020) will also support this functionality.

Why do enterprises deploy Anjuna Enterprise Enclaves, rather than developing their own support for secure enclave technology?

Secure enclave technologies, such as Intel® Software Guard Extensions (Intel® SGX) and AMD Secure Encryption Virtualization (SEV) technology, provide essential building blocks for creating a trusted execution environment (TEE). Re-architecting and coding an application with a specialized SDK to support a TEE/Enclave can be time-consuming and complex, requiring specialized hardware and software knowledge. Anjuna Enterprise Enclaves provides a comprehensive, transparent, and manageable approach to CPU-based enclaves, allowing enterprises to focus on their core competencies. Anjuna’s’”lift and shift” approach enables existing applications to transparently run inside of enclaves. 

What is data-in-use?

Data-in-use refers to the data stored in memory during application runtime. Encryption protects data-at-rest stored on disk, or data-in-motion using TLS/SSL while in transit. However, data-in-use is typically in cleartext. If such data is compromised, it can expose the encryption keys for data-at-rest or TLS/SSL certificates for data-in-motion.

What is a trusted execution environment (TEE)?

A TEE is a secure area of a processor. TEEs help to defend against attacks targeting underlying layers of the information technology stack below the application, including the operating system, hypervisor, drivers, and firmware, by providing specialized execution environments known as “enclaves” or “secure enclaves.” TEEs also address the risk of applications and data being compromised by a malicious insider or an unauthorized third-party.

What is remote attestation?

Remote attestation is a method by which a server authenticates its hardware and software configuration to a remote client. The objective of remote attestation is to enable one system (the verifier) to establish the integrity and confidentiality of another remote system. Anjuna Runtime Security provides a hardware root of trust through remote attestation, so that your workload can be guaranteed to run only in the secure environment that you designate.