Secure Enclaves: Data Protection So Secure, No One Knows About It
Secure enclaves may be the technology that no one has heard of—yet
The primary objective of cybersecurity is to protect data. While data security solutions have existed almost since the beginning of mass data creation and collection, they’ve not been all that successful. Breaches continue, as hackers and insiders always find a way to the ultimate data prize. Worse yet, this 30-year “cat-and-mouse” game has built data security into a vastly complex, lucrative and ultimately unsuccessful market, with businesses paying the hefty bill.
Data breaches continue to occur because, at its core, data cannot be protected. Data in its purest form is inherently weak. Even encrypted data must eventually be exposed because, for all intents and purposes, it must be decrypted to be used. To put it more simply, data cannot be secured and used at the same time. This is data’s ultimate weakness.
In today’s computer architectures, that weakness means all data (including running applications) must also remain unencrypted in memory. Even a relatively unskilled hacker or a simply programmed bot can gain access to any data simply by getting physical or remote root access to hosted hardware. By dumping the memory, they can find the data (or the keys to encrypted data) they need. This unravels all security software protections, including disk and network encryption.
End User Data Made Strong
That’s changing. Academia and industry experts have known the ultimate, albeit theoretical, solution to data protection for years: Create trusted execution and storage environments rooted in trusted hardware that never expose unencrypted data in memory—or, for that matter, anywhere. These solutions are being used to great advantage today. Many laptops already have these facilities so well-integrated that they go unnoticed by most users unless their laptop is lost or stolen. Since “owning” the device no longer means “owning” the data on the device, victim data is kept safely out of the hands of thieves. Ultimate data protection is here—at least for end users.
CISOs and Servers Left Behind
Unfortunately, CISOs today must still presume their data is insecure by default. That means they hold as tightly to their sensitive data as they do to an unencrypted hard drive. This lack of data security, they tell us, is the last great barrier to the dream many of them hold for total cloud migration.
There’s good reason for this belief. Migration of applications and data to the cloud still means exposing inherently exposed data to cloud employees and to insiders that can’t be seen or controlled. The ongoing parade of massive insider breaches only affirms these fears.
As a result, CISOs continue to maintain both onsite and cloud infrastructure and teams that cost their organizations immense amounts of time and money. Cloud service providers lose out on customer opportunities. Everyone loses, except for the bad actors. That’s puts immense pressure on the industry to find a better solution.
The Vendors Got the Memo
Addressing the central data security issue, the leading microprocessor vendors and hosted services providers, including Intel, AMD, Microsoft Azure and Amazon, are building specialized security features into their CPUs and platforms, establishing the ability to create protected computing environments known as secure enclaves. Within these secure enclaves, applications, and other data (including encryption keys) are protected from theft or attack—even in the event that an insider or attacker gains full physical or “root” access. These hardware-grade security features fully protect computer memory, resolving the simple secure and use security paradox described above. When extended by software, they protect storage and network communications as well. With enclaves, physical or root access to hardware no longer means access to data, since data can be secured by default from the moment it’s created to the moment it’s retired.
Secure Enclaves: Data Secured by Default
For those CISOs and enterprises that take advantage of this technology, the benefits of secure enclaves are huge. At the top of this list is the safe migration and operation of even the most sensitive enterprise applications and data to the cloud, allowing organizations to eliminate parallel on-premises and cloud operations.
It also means IT can dramatically rationalize security layered product portfolios and security processes for ultimate flexibility, security and savings. When hardware-grade security makes data secure by default, the complex layers of perimeter security protections become unnecessary.
With data that’s enclaved and thus fully encrypted and isolated from all insiders, data is secure by default everywhere, even in insecure environments, creating entirely new opportunities to reach new customers in new geographies, more effectively.
Secure Enclaves Made Easy
These opportunities start with the availability of raw silicon-level enclave-enabling enhancements built into modern CPUs and clouds. But more is required to make secure enclave technologies usable by enterprises in the real world. The availability of secure enclave software now makes application and data enclaving simple for enterprises to implement, with no re-coding and almost no disruption to existing IT operations.
That combination of power and simple implementation promises to eliminate the security cat-and-mouse game among CISOs, bad actors and vendors once and for all. Secure enclaves may be the technology that no one has heard of—yet. But very soon it will usher in a new era of computing where ultimate hardware-grade protections make data intrinsically secured by default everywhere it’s used, run or stored. And when done right, no one but CISOs and bad actors will ever notice.
