Introduction
As businesses become more reliant on digital technologies, the risk of data breaches and cybersecurity threats increases exponentially. Given the concerns about Information and IP security, businesses across industries, even beyond the highly regulated ones, such as healthcare, fintech, and the public sector, are increasingly concerned about their capability to capture the benefit of moving workloads to the cloud. Now, while most eyes and ears are on Cloud Computing, a newer, more powerful technology has emerged and made its way into the headlines: Confidential Cloud Computing.
The Rise of Confidential Cloud Computing
Yes, cloud computing has become one of the most popular methods of IT delivery, and with good reason: it offers businesses a number of advantages, such as scalability, cost-effectiveness, and efficiency. However, not all cloud environments are created equal. Confidential Computing is a new paradigm of cloud computing that offers a needed extra layer of security and privacy protection for businesses data. Basically, Confidential Cloud Computing is an essential cloud-enabling technology to base data-driven SaaS and PaaS applications on solid foundations. Leveraging this technology, we can now change the conversation from “moving to the cloud at any cost” to “moving to a confidential cloud with confidence and ease”.
To ease and simplify the development of Confidential Compute environments, and save developers and businesses time and costs, enclaive has developed an arsenal of enterprise-ready Confidential Compute Containers and Services.
A container is the most essential component of a cloud application. In its simplest form, it is an application. Containers can be efficiently started, stopped, or migrated and composed.
A Confidential Container differs from a normal container in that it is encrypted and authenticated. Applications are started in an enclave. For this purpose, the CPU reserves an area of physical memory before the boot process. A process that the operating system loads into the area is encrypted by the CPU. Only the CPU knows the key, which is freshly generated after each boot process derived from a unique hardware key.
Putting it all together, our large portfolio is a solid collection of open-source applications and services to build, test, and deploy a plethora of cloud applications. Enclaive enables businesses to take any container application or program and run it with just a few clicks in a fully secure environment. And the best part: you do not need to change application code, CI/CD build pipelines, and DevOps for this.
Why should businesses choose enclaive’s multi-cloud environments?
With enclaive’s confidential multi-cloud ecosystem, businesses can now build, deploy and scale any applications on a completely Confidential Cloud Computing ecosystem. Its compute environments are so secure, even the cloud provider can’t see inside. By leveraging Confidential Compute, data, and code are now isolated from the cloud provider, effectively separating the infrastructure layer from the application logic. It brings a bundle of many important capabilities to any cloud infrastructure, including
- Data in Use Encryption. Every container shields applications and data during execution. In the event of a container escape, an attacker may escalate privileges and gain root access to the underlying system. Nevertheless, even with access to the host system, the attacker cannot extract valuable data and secrets from the other containers. The reason for this is, confidential containers are fully memory encrypted and protected throughout their execution. Dumping the memory results in ciphertexts only. Attempts to alter the memory or file system are detected through cryptographic integrity protection. With enclaive, you can create secure environments to keep your workload encrypted while in use.
- Container Secret Key Provisioning. Secrets like environment variables, files, passwords, or cryptographic keys are never stored in a confidential container. A key management service (KMS) provisions the secrets into the confidential container through a TLS-like protocol. The KMS verifies the authenticity of the containers and ensures only the right confidential containers obtain the secrets.
- Container Authentication & Attestation. Confidential Containers have a cryptographic identity. The authorship is verifiable, allowing the implementation of finer-grained white-labeling mechanisms as well as proactive user protection: Remote attestation allows for on-the-fly scanning of outdated or vulnerable containers in use based on their cryptographic identity.
- Performance-driven. Data-in-use encryption comes with no performance overhead due to hardware-accelerated encryption. enclaive’s confidential products provide a unique level of isolation and protection of workloads. Thanks to its confidential capabilities, enclaive makes sure that any application or database can be quickly and easily set up within a high-performance and high-secure cluster, with minimal input from your DevOps. This enables your developer teams to focus on business value, while enclave provides you with a secure solution that meets demanding performance standards.
- Integrate with multiple clouds. enclaive integrates with hyper-scaler and major regional cloud providers to deliver efficient, reliable, and secure cloud environments for all customers.
Use Case: Enclaive’s Confidential Containers for Azure’s DCs-Series
While the Azure team did some wonderful work to provide CC-ready compute infrastructures, the missing building blocks are CC-ready applications. To ease and simplify the development of CC applications, and save developer time and costs, enclaive has developed an arsenal of confidential compute containers covering what we call “The Base” stack.
Getting Started: 3 steps to a Confidential Cloud
Enclaive’s “The Base” Containers are a solid collection of open-source applications to build, test and deploy a plethora of cloud applications. They are compatible with DevOps best practices like Docker, Kubernetes, and OpenShift. All they require to be executed is a VM supporting Intel SGX technology (DCsv2/DCsv3-series).
Quickstart: Available on Azure Marketplace
The Base is also available on the Azure Marketplace
Build via GitHub
To run a confidential compute base container, set up a VM and pull the image:
1. Configure an Azure DCs-series VM
Note, in the configuration, all drivers are upstreamed.
2. Pull the confidential container from the enclaive’s GitHub repository
3. Start (building) the container
Wrap-up
Enclaive’s mission is to ease the development of confidential compute environments and help developers, DevOps, and businesses to deploy confidently in confidential clouds. The enclaive multi-cloud platform provides businesses with a powerful solution for isolating and protecting workloads from external or internal threats. For the very first time, infrastructure and application logic are separated. Leveraging confidential computing, data, and code are isolated from the cloud provider at all times. By leveraging confidential compute technology, enclaive enhances standard cloud layers with a previously missing security attribute. By default, your data and application are encrypted at rest, in transit, and while in use.
Get in touch via contact@enclaive.io to explore how enclaive technology helps you. Join us on Discord to become part of the growing open-source enclaive community.
Trademarks
The respective trademarks mentioned in the offering are owned by the respective companies, and their use of them does not imply any affiliation or endorsement.