What is a Confidential Cloud?
A Confidential Cloud is a private and secure computing environment typically formed over public cloud infrastructure, leveraging Secure Enclave technology as its foundation. Confidential Clouds are the most secure computing resources available—even more secure than on premises.
A Confidential Cloud IT environment is cryptographically (and in some cases physically) isolated from all users, operations insiders, and other processes. Confidential Cloud protection seamlessly extends over multiple cloud providers, and implicitly protects distributed workloads.
To the IT user, the Confidential Cloud operates transparently with the underlying cloud or multi-cloud environment. But workload and data attack surfaces are completely eliminated, as is excess exposure to cloud, 3rd party and other insiders.
How effective is the Confidential Cloud?
The Confidential Cloud delivers the strongest data security protections available today, comparable to the gold standard of a Hardware Security Module (HSM).
Who is adopting secure enclaves?
Confidential Cloud adoption is driven by cloud economics and the endless drumbeat of public and private cloud data breaches. All major cloud vendors, including AWS and Azure, have now deployed Confidential Cloud-enabling technologies. More than 20 industry giants have joined the Confidential Computing Consortium to drive broad awareness and adoption of secure computing.
Some of the most security conscious government and commercial organizations are already implementing Confidential Cloud capabilities to solve data security, leverage cloud economics, and gain greater operational agility.
How difficult is the Confidential Cloud to deploy and use?
Secure enclave and computing technologies can be very difficult to implement directly. Applications must be rewritten and operations disrupted to take full advantage of these capabilities.
The Confidential Cloud fixes that. Anjuna software transparently enables applications to run “as is” with no code rewrites or disruptions to business continuity. Applications run secure without modification. Operations processes remain unchanged.
How does the Confidential Cloud work in the public cloud?
A Confidential Cloud is a private and secure computing environment formed over public cloud infrastructure in real time to support a business workload. From an operations perspective, no changes to applications or processes are generally required—the Confidential Cloud environment operates invisibly, undetected by applications or IT staff. From a security perspective, application code and data are protected through a variety of hardware and cryptographic mechanisms that isolate them from access by any process unless explicitly granted through policy.
Confidential Clouds establish the public cloud as arguably the most secure computing environment available, rivaling that of any private data center (unless that data center has also adopted the Confidential Cloud).
What features does Anjuna provide for enterprise deployment and operations?
Anjuna’s Confidential Cloud Software Platform integrates seamlessly with existing IT services and management infrastructure. It leverages existing investment with key management solutions and provides telemetry to SIEM and CARTA systems. This allows enterprises to maximize security, performance, and resiliency of workloads across heterogenous clouds and hardware platforms.
What benefits should I expect to see from the Confidential Cloud?
Your organization should realize several benefits immediately. First, you’ll see a potential dramatic reduction in your attack surface. Access to enclaved data can only come from explicit permissions granted remotely from a computing host.
Anjuna solutions place the business and IT in exclusive control of their data anywhere it is used, stored, or transmitted—virtually eliminating existing data security concerns.
With attack surfaces minimized, you’ll be able to run sensitive applications securely anywhere—on premises, in the cloud, or in hybrid configurations. Data security and privacy will be enhanced transparently, as the number of people and credentials that can access data are both dramatically reduced. You’ll be able to safely run applications in untrusted or even hostile environments. All of this will simplify your security cost by reducing the need for redundant software, people, and process.
What is Intel® SGX?
Intel® Software Guard Extensions (SGX) is a set of CPU machine language instructions that secure data and code execution in memory. An application inside an SGX-enabled enclave is isolated from all other applications running on the same system, as well as from the host operating system and the hypervisor. A secure enclave’s memory is encrypted rendering the data useless outside of the enclaves context. SGX also delivers remote attestation that helps assure that both the application and the hardware are genuine and that Intel® hardware, updated with the latest microcode to ensure security. Processors supporting Intel® SGX have been shipping since 2015.
A list of hardware supporting SGX is available here.
What is AMD SEV?
AMD Secure Encryption Virtualization (SEV) is a secure enclave-enabling technology available in AMD Epyc CPUs. It enables encrypting the memory of an entire virtual machine, relying on an encryption engine embedded into the memory controller, and a secure processor for key-generation and management.
What are AWS Nitro Enclaves?
AWS Nitro Enclaves enable customers to further protect and securely process highly sensitive data, such as personally identifiable information (PII), healthcare, financial, and intellectual property within Amazon EC2 instances. Nitro Enclaves use the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances.
What is data-in-use?
Data-in-use refers to the data stored in memory and used by the CPU during application runtime. Data that is in use or waiting to be used cannot by definition be encrypted—leaving critical data, such as encryption keys, vulnerable to malicious software and bad actors
Secure computing technologies resolve this vulnerability by enabling memory to be both isolated and encrypted in memory as it waits to be used. This important remediation removes the last barrier to truly confidential computing and the Confidential Cloud.
How do I get started?
Contact Anjuna. We’ll give you everything you need to implement a successful proof-of-concept (POC) project, including a secure sandbox environment. In minutes, we’ll show how simple Confidential Cloud and secure computing can be.