Prevent Malicious and Insider Threats with Secure Enclaves
Insiders can be a major threat to the security of enterprise IT and cloud computing. Insiders with administrative credentials are more dangerous than end users, because of the broad systems access they require to do their jobs. Insiders with authorized access to data, networks, and applications may misuse or abuse their access to steal or damage sensitive data, algorithms, and other sensitive information.
This is not limited to employees. Third parties, including employees at cloud providers, nation-states and other bad actors, can also present credentials that make them look like insiders.
Current methods and technologies only detect IT insider threats after the fact. While detection technologies continue to improve, the problem is detection usually happens long after your data has been compromised--and then it’s too late.
Software-level encryption is not the answer. Applications and data still must be decrypted for runtime processing. Encryption software is complicated and results in degradation of application performance. Even worse, important information such as encryption keys remains easily accessible to insider threats--a vulnerability that renders all the time and expense to encrypt them potentially worthless. In addition, encryption keys must reside in the clear in-memory to be used, or as plaintext files on the host.
The Most Effective Approach to Data Security
Now, there’s a new hardware-level approach being implemented by nearly every major hardware and cloud vendor. Secure enclaves establish a more secure, comprehensive solution that protects data, applications, and storage from insiders and third parties wherever they’re executed and stored—on-premises, and in both private and public clouds.
A secure enclave provides CPU hardware-level memory encryption on every server, by isolating application code and data from anyone--regardless of administrative privileges--and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security.
Prepare for the Move to Secure Enclaves
Ask your team these questions:
- How do you protect your sensitive applications and data in the public cloud?
- What are your cloud providers doing to address this ongoing insider threat?
- Do you have third party exposure? How do you protect your applications and data in untrusted geographies?
- Are you concerned with the possibility a government subpoena might demand access to customer data?
- Are you prepared to re-write applications to take advantage of secure enclaves?
- How important will it be to have a solution that can automatically move applications and data into a secure environment?
Hardware Support for Secure Enclave Technology
Hardware support in the form of secure enclaves was introduced by Intel as Software Guard Extensions (SGX). AMD also offers enclave functionality with its SEV technology, built into Epyc. Secure enclaves are being supported by nearly every server and cloud platform, including Intel, AMD, Amazon Web Services (with their new Nitro Enclaves), Microsoft Azure confidential computing, VMware, Google Cloud, Docker, Red Hat and more.
Moving from detection to prevention changes the focus from identifying and chasing malicious acts that have already occurred to preventing them in the first place. It’s the difference between watching your data go out the door and preventing someone from ever being able to access the data at all.
Anjuna Makes it Simple
Until now, implementing secure enclaves was complex and costly. Applications had to be significantly rewritten and changes to IT processes were often needed. Each chip and cloud provider has its own SDK, requiring significant design, development, and testing resources—which makes the process expensive and time-consuming.
Anjuna’s “lift and shift” approach makes the deployment of secure enclaves simple and straightforward—without the need to rewrite or recompile the software.