Looking for enclaive's confidential multi-cloud solution. Click here.

Contents

What is NGINX and why should you upgrade to NGINX-SGX?

NGINX, pro­nounced as ‘engine ex’, is an open-source web serv­er soft­ware, wide­ly used by developers. 

Before we get into any details on this, let’s start by first explain­ing what a web serv­er is. 

When­ev­er you open your brows­er, type a URL and then click enter, basi­cal­ly, you are request­ing the con­tent of that URL. This con­tent is col­lect­ed and stored on remote com­put­ers. They are accept­ing your request via URL and send­ing the con­tent of that URL back as a response.

Web Servers are these remote com­put­ers that deliv­er the request­ed web pages. And every web serv­er has an IP address and domain name. 

Let us make it more clear using the fol­low­ing example:

You open your favourite brows­er, type www.netflix.com/friends and click enter. In this URL, www.netflix.com is the domain name, and /friends is the page you want to see. 

So www.netflix.com will route your request to the remote com­put­er, i.e. the web serv­er will search for the con­tent you’re request­ing.  In our case, the best show ever: “Friends” 🙂

So what about NGINX?

NGINX is an open-source web serv­er, which is designed for max­i­mum per­for­mance and stability.

If you are devel­op­ing a web appli­ca­tion and want to host this appli­ca­tion, you might have a tough time han­dling all the requests com­ing in for this spe­cif­ic con­tent. You there­fore might expe­ri­ence many down­times of your serv­er while han­dling a hand­ful of requests.

NGINX is a web serv­er that solves such effi­cien­cy issues because it pro­vides you with the tools to opti­mal­ly han­dle thou­sands of requests at the same time. This is why NGINX is one of the most reli­able servers out there.

How NGINX works

Now let’s talk about Intel SGX

Before we jump into our NGINX-SGX prod­uct, here is a short intro­duc­tion to Intel Secu­ri­ty Guard Exten­sion (SGX).

Intel SGX deliv­ers advanced hard­ware and RAM secu­ri­ty encryp­tion fea­tures by lever­ag­ing con­fi­den­tial com­put­ing tech­nol­o­gy. By using so-called enclaves, the code and data that are spe­cif­ic to each appli­ca­tion stay com­plete­ly iso­lat­ed with­in the secure enclave. Addi­tion­al secu­ri­ty, pri­va­cy and trust guar­an­tees are pro­vid­ed when data and appli­ca­tion code run in an enclave. This makes these secure con­tain­ers an ide­al choice for (untrust­ed) cloud environments. 

The appli­ca­tion code exe­cut­ing with­in an Intel SGX enclave:

  • Remains pro­tect­ed even when the BIOS, VMM, OS, and dri­vers are com­pro­mised, imply­ing that an attack­er with full exe­cu­tion con­trol over the plat­form can be kept at bay
  • Ben­e­fits from mem­o­ry pro­tec­tions that thwart mem­o­ry bus snoop­ing, mem­o­ry tam­per­ing and “cold boot” attacks on images retained in RAM
  • At no moment in time are data, pro­gram code and pro­to­col mes­sages leaked or de-anonymized
  • Reduces the trust­ed com­put­ing base of its par­ent appli­ca­tion to the small­est pos­si­ble footprint

Check out our blog post Con­fi­den­tial Com­put­ing Explained” and learn more about con­fi­den­tial com­put­ing technology.

Why use NGINX-SGX (instead of “vanil­la” NGINX) images?

So imag­ine if you can get all these encryp­tion fea­tures of Intel SGX as a “Plus” ver­sion of the NGINX soft­ware. This is what NGINX-SGX brings to the table.

The NGINX-SGX prod­uct now pro­vid­ed by enclaive, com­bines the con­fi­den­tial com­put­ing tech­nol­o­gy used with­in Intel SGX with the NGINX soft­ware. The appli­ca­tion code is now exe­cut­ed with­in this secure enclave while being sent back to the requester of the spe­cif­ic URL con­tent. NGINX-SGX pro­vides this “black box” that now holds the entire con­tent request­ed, mak­ing sure there will be no leaks of sen­si­tive data. 

The fol­low­ing ben­e­fits come for free with NGINX-SGX:

  • “Small step for a dev, giant leap for a zero-trust infrastructure”
  • You can now have all the busi­ness ben­e­fits from the migra­tion to a (pub­lic) cloud with­out sac­ri­fic­ing on-premise infra­struc­ture trust
  • Hard­ened secu­ri­ty against ker­nel-space exploits, mali­cious and acci­den­tal priv­i­lege insid­er attacks, UEFI firmware exploits and oth­er “root” attacks using the cor­rup­tion of the appli­ca­tion to infil­trate your net­work and system
  • It can run on any host­ing envi­ron­ment irre­spec­tive­ly of geo-loca­tion and com­ply with pri­va­cy export reg­u­la­tions, such as Schrems-II
  • GDPR/CCPA com­pli­ant pro­cess­ing (“data in use”) of user data in the cloud. The data stays anonymized thanks to the secure enclave
Encrypt­ed proxy with NGINX-SGX

Wrap-up

Busi­ness­es can now ben­e­fit from com­plete end-to-end con­tain­er encryp­tion of their web serv­er con­tent. At any giv­en moment in time, the code and data are ful­ly secure and stay anonym. 

Com­ing back to our exam­ple before: if you have to use any per­son­al data while request­ing and lever­ag­ing the con­tent of www.netflix.com/friends, and Net­flix is using NGINX-SGX to han­dle your (and a mil­lion oth­ers) request, you can be 100% sure that your user data will nev­er be in any dan­ger and will stay full anonym.

Watch­ing “Friends” on Net­flix was there­fore nev­er before as safe and secure, as it would be with our product.

 

Contact us

Cookie Consent with Real Cookie Banner