Data must be protected. There’s no argument about that. Solutions to protect data at rest and data in motion have been around for decades. The problem is that for data to be useful, it has to be processed, and, until recently, processing left data wide open to theft or attack.
There is a fundamental architectural weakness that requires data to be exposed and unencrypted in memory for processing. This means that even data that may be fully encrypted over a network or when stored will be unencrypted when it’s processed. Bad actors know this, which is why they target memory to retrieve unencrypted certificates, keys, and, of course, valuable data whether it is in memory, on disk, or stored on the network. This weakness affects virtually every computer and all software ever made.
The leading microprocessor vendors knew that this issue is critical. That’s why they’ve added specialized security features and instruction sets to their CPUs. These enable the creation of enclaves - certified secure regions of a host, instantiated by software, that are isolated from every other process and user. Enclaves solve the memory encryption issue - data can’t be seen outside the enclave. Memory is decrypted and thus rendered usable only within the enclave itself.
Many different kinds of enclaves can be created leveraging this technology. Some - like the hardware enclaves present on many computers and phones - simply store data such as keys and certificates. Still others store small amounts of critical code in memory. More recently, the market is seeing the arrival of more general-purpose secure enclaves, sometimes referred to as “enterprise enclaves,” that create complete computing environments.
Within these secure enclaves, both applications and data are protected from theft or attack. Even more important, these general-purpose enclaves protect not just application data in use, but stored data (data at rest) and data on the network (data in motion) as well. With these protections, even if an insider or attacker gains full administrative control over a server processing such data, enclave-enabled security features fully protect and encrypt computer memory, keeping both data and code out of reach.
Unfortunately, while enclave-enabling technologies solve the secure computing problem, using them is neither easy nor practical. Applications need to be rewritten and recompiled to support specialized machine instructions to enclave applications. Each proprietary enclave technology implementation requires application-specific versioning to take full advantage (Intel, AMD, and AWS each have their own implementations). New software development requires making multiple complex environments and struggling with vendor-specific software developer kits (SDKs) to transition applications. Such obstacles present a fundamental roadblock, making secure enclaves a non-starter for all but the most motivated DIY hobbyists and deep technologists, and then even for only the most important applications.
Fortunately, this last hurdle has been addressed by leveraging the same virtualization approach that hastened the accelerated transition of workloads from on-premise data centers to the public cloud. With virtualization, applications transparently move new and legacy applications into secure enclaves without rewriting or re-compilation.
This “lift and shift” approach makes cloud migration simple and attractive for virtually all applications. An application or code base can be simply taken out of one environment and placed in another (in this case, into a secure enclave environment) without significant underlying design change.
As this lift and shift approach becomes popular for secure enclaves, the objections to not using these hardware protections for data disappear.
The incentive to transition applications into the protected confines of a secure enclave only increases with each new data breach, whether on-site or in the cloud. Enterprise enclave technologies virtually eliminate this risk anywhere data and applications reside.
Microsoft, Google, AWS, Baidu, Alibaba, and other cloud services already support enclave technologies, making it possible to execute workloads, reach new customers, or store data in untrusted geographies without the risk of breach or data loss. This also means organizations can transition everything--including even their most sensitive applications and data--to the cloud, eliminating the need to maintain costly redundant onsite and cloud IT organizations.
Enclaves are a powerful compliance control. Enclave data protections ensure that data can’t be seen or accessed unless explicitly authorized. Even then, with access vigilantly monitored and tracked from a zero-trust posture, compliance becomes much simpler.
Even better, with the risk of data exposure eliminated, the organization no longer needs to maintain a costly, complex security infrastructure. In many cases, privileged access management (PAM), data classification systems, network security, and other expensive host, network, perimeter, and physical security solutions become redundant. Implementing secure enterprise enclaves can reduce both cost and overall system complexity.
The rationale for the move to enclaves is compelling. The opportunities for IT to dramatically simplify and improve security are immense. Fortunately, momentum is building, with hardware, software, and cloud vendors driving enclave technology into the mainstream--paving the way for a new and significantly more secure era of computing.
