What is a Confidential Cloud?
A Confidential Cloud is a private and secure computing environment formed over public cloud infrastructure. It leverages secure enclave technology, encryption, key management, and other battle-tested security technologies as its foundation. Confidential Clouds provide the most secure computing environment available — hardware-grade protection measurably more secure than most private infrastructure. Confidential clouds can be formed over private cloud infrastructure as well.
Unlike legacy security, which uses layers of security devices to block access to inherently vulnerable data, a confidential cloud utilizes a concept called data self-protection, where data is encrypted by default and rendered physically inaccessible at rest, in motion, and in use by any outside process or user. Access to data is strictly controlled by locks, keys, and policy. These controls seamlessly extend across multiple cloud providers and implicitly protect distributed workloads, enabling seamless cloud-native workload security.
To IT, the Confidential Cloud operates transparently—like virtualization—enhancing underlying cloud or multi-cloud environment without affecting users or applications. Workloads operate unchanged even though attack surfaces are virtually eliminated.
How effective is the Confidential Cloud?
The Confidential Cloud delivers the strongest data security protections available today, with a security level comparable to the gold standard of a Hardware Security Module (HSM).
Who is adopting secure enclaves?
All major cloud vendors, including AWS and Azure, have now deployed Confidential Cloud-enabling technologies. More than 20 industry giants have joined the Confidential Computing Consortium to drive broad awareness and adoption of secure computing.
Some of the most security-conscious government and commercial organizations are already implementing Confidential Cloud capabilities to resolve data security risks, leverage cloud economics, and gain greater operational agility.
How difficult is the Confidential Cloud to deploy and use?
With software from Anjuna, the process is very simple.
Without software, secure enclave and computing technologies can be very difficult to implement directly. Applications must be rewritten, and operations disrupted to take full advantage of these capabilities. Myriad technologies need to be orchestrated and managed.
The Confidential Cloud abstracts away those complexities. Anjuna software transparently enables applications to run “as is” with no code rewrites or disruptions to business continuity. Applications run secure without modification. Operations processes remain unchanged.
How does the Confidential Cloud work in the public cloud?
From an operations perspective, no changes to applications or processes are required—workloads are instantiated exactly as they were before. The Confidential Cloud environment operates invisibly, undetected by applications or IT staff. From a security perspective, application code and data are protected through a variety of hardware and cryptographic mechanisms that isolate them from access by any process unless explicitly granted through policy.
What features does Anjuna provide for enterprise deployment and operations?
Anjuna’s Confidential Cloud Software Platform integrates seamlessly with existing IT services and management infrastructure. It leverages existing investment with key management solutions and Kubernetes, and provides telemetry to SIEM and CARTA systems. This allows enterprises to maximize security, visibility, performance, and resiliency of workloads across heterogenous clouds and hardware platforms.
What benefits should I expect to see from the Confidential Cloud?
Your organization will realize several benefits immediately. First, you’ll see a dramatic reduction in attack surfaces. Access to workloads and data can only come from explicit permissions granted remotely from a computing host.
Anjuna places the business and IT in exclusive control of their data anywhere it is used, stored, or transmitted—virtually eliminating existing data security concerns and facilitating compliance for highly regulated industries and sensitive data.
With attack surfaces minimized, you’ll be able to run sensitive applications anywhere without compromising security—on premises, in the cloud, or in hybrid configurations. Data security and privacy will be enhanced transparently, as insider access to data is eliminated by default. You’ll be able to safely run applications in untrusted or even hostile geographies. All of this will simplify your security cost by reducing the need for redundant software, people, and processes.
What is Intel® SGX?
Intel® Software Guard Extensions (SGX) is a set of CPU machine language instructions that secure data and code execution in memory. An application inside an SGX-enabled enclave is isolated from all other applications running on the same system, as well as from the host operating system and the hypervisor. A secure enclave’s memory is encrypted rendering the data useless outside of the enclaves context. SGX also delivers remote attestation that helps assure that both the application and the hardware are genuine and that Intel® hardware, updated with the latest microcode to ensure security. Processors supporting Intel® SGX have been shipping since 2015.
Anjuna Confidential Computing software leverages and extends to also secure data at rest and in motion. Anjuna abstracts the differences between SGX and other technologies to make secure multiplatform computing simple for enterprise IT.
What is AMD SEV?
AMD Secure Encryption Virtualization (SEV) is a secure enclave-enabling technology available in AMD Epyc CPUs. It enables encrypting the memory of an entire virtual machine, relying on an encryption engine embedded into the memory controller, and a secure processor for key-generation and management.
Anjuna Confidential Computing software leverages and extensive to also secure data at rest and in motion. Anjuna abstracts the differences between SEV and other technologies to make secure multi-platform computing simple for enterprise IT.
What are AWS Nitro Enclaves?
AWS Nitro Enclaves enable customers to further protect and securely process highly sensitive data, such as personally identifiable information (PII), healthcare, financial, and intellectual property within AWS EC2 instances. Nitro Enclaves use the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances.
Anjuna Confidential Computing software leverages and extends Nitro Enclaves to also secure data at rest and in motion. Anjuna abstracts the differences between Nitro Enclaves and other technologies to make secure multi-platform computing simple for enterprise IT.
What is data-in-use?
Data-in-use refers to the data, including application code, stored in memory and processed during runtime. Data that is in use or waiting to be used cannot normally be encrypted—leaving critical data, such as encryption keys, vulnerable to malicious software and bad actors.
Secure computing technologies resolve this vulnerability by enabling data to be both isolated and encrypted in memory as it waits to be used and as it’s processed. This important remediation removes the last barrier to truly confidential computing and the Confidential Cloud.
How do I get started?
Contact Anjuna. We’ll give you everything you need to implement a successful proof-of-concept (POC) project, including a secure sandbox environment. In minutes, we’ll show how simple Confidential Cloud and secure computing can be.