NGINX, pronounced as ‘engine ex’, is an open-source web server software, widely used by developers.
Before we get into any details on this, let’s start by first explaining what a web server is.
Whenever you open your browser, type a URL and then click enter, basically, you are requesting the content of that URL. This content is collected and stored on remote computers. They are accepting your request via URL and sending the content of that URL back as a response.
Web Servers are these remote computers that deliver the requested web pages. And every web server has an IP address and domain name.
Let us make it more clear using the following example:
You open your favourite browser, type www.netflix.com/friends and click enter. In this URL, www.netflix.com is the domain name, and /friends is the page you want to see.
So www.netflix.com will route your request to the remote computer, i.e. the web server will search for the content you’re requesting. In our case, the best show ever: “Friends” 🙂
So what about NGINX?
NGINX is an open-source web server, which is designed for maximum performance and stability.
If you are developing a web application and want to host this application, you might have a tough time handling all the requests coming in for this specific content. You therefore might experience many downtimes of your server while handling a handful of requests.
NGINX is a web server that solves such efficiency issues because it provides you with the tools to optimally handle thousands of requests at the same time. This is why NGINX is one of the most reliable servers out there.
Now let’s talk about Intel SGX
Before we jump into our NGINX-SGX product, here is a short introduction to Intel Security Guard Extension (SGX).
Intel SGX delivers advanced hardware and RAM security encryption features by leveraging confidential computing technology. By using so-called enclaves, the code and data that are specific to each application stay completely isolated within the secure enclave. Additional security, privacy and trust guarantees are provided when data and application code run in an enclave. This makes these secure containers an ideal choice for (untrusted) cloud environments.
The application code executing within an Intel SGX enclave:
- Remains protected even when the BIOS, VMM, OS, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
- Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
- At no moment in time are data, program code and protocol messages leaked or de-anonymized
- Reduces the trusted computing base of its parent application to the smallest possible footprint
Check out our blog post “Confidential Computing Explained” and learn more about confidential computing technology.
Why use NGINX-SGX (instead of “vanilla” NGINX) images?
So imagine if you can get all these encryption features of Intel SGX as a “Plus” version of the NGINX software. This is what NGINX-SGX brings to the table.
The NGINX-SGX product now provided by enclaive, combines the confidential computing technology used within Intel SGX with the NGINX software. The application code is now executed within this secure enclave while being sent back to the requester of the specific URL content. NGINX-SGX provides this “black box” that now holds the entire content requested, making sure there will be no leaks of sensitive data.
The following benefits come for free with NGINX-SGX:
- “Small step for a dev, giant leap for a zero-trust infrastructure”
- You can now have all the business benefits from the migration to a (public) cloud without sacrificing on-premise infrastructure trust
- Hardened security against kernel-space exploits, malicious and accidental privilege insider attacks, UEFI firmware exploits and other “root” attacks using the corruption of the application to infiltrate your network and system
- It can run on any hosting environment irrespectively of geo-location and comply with privacy export regulations, such as Schrems-II
- GDPR/CCPA compliant processing (“data in use”) of user data in the cloud. The data stays anonymized thanks to the secure enclave
Businesses can now benefit from complete end-to-end container encryption of their web server content. At any given moment in time, the code and data are fully secure and stay anonym.
Coming back to our example before: if you have to use any personal data while requesting and leveraging the content of www.netflix.com/friends, and Netflix is using NGINX-SGX to handle your (and a million others) request, you can be 100% sure that your user data will never be in any danger and will stay full anonym.
Watching “Friends” on Netflix was therefore never before as safe and secure, as it would be with our product.