Keeping Data Secure and Confidential in Public Clouds

Keeping Data Secure and Confidential in Public Clouds

By Special Guest
Anand Kashyap, CTO and Co-founder, Fortanix
  |  April 21, 2020

In 2019 and earlier, we witnessed numerous cybersecurity breaches, where hackers attacked a system’s weakest points.  While data is mostly encrypted at rest and in transit, vulnerabilities occur when data is in use, or at runtime.  In 2020, enterprises need to look to new encryption technologies paired with key management to protect sensitive data, particularly in cloud and multi-cloud environments.  The current macro-economic climate fueled by the COVID-19 pandemic is forcing even more enterprises to move their sensitive workloads to public cloud.  Securing data throughout its lifecycle is of paramount importance to them.

When protecting data in public cloud environments, a new approach has emerged around hardware-based confidential computing solutions available for the public cloud.  This approach is also being promoted by the Confidential Computing Consortium, which has been formed recently by cloud service providers (CSPs), chip vendors, and security companies.  CSPs now offer hardware platforms enabling confidential computing solutions to be deployed in the cloud to secure data at rest, in transit, and now also in use.  Previously, organizations were able to protect data by encrypting it only at rest and in transit.  At runtime, however, data was exposed when being used by the CPU.  

If not for today’s increasing adoption of secure enclave technologies, such as Intel (News - Alert) Software Guard Extensions (Intel SGX), confidential computing would be impractical.  Other approaches, such as fully homomorphic encryption, in practice are too cumbersome and slow to work and are not practical for many of today’s complex application use cases and cloud environments.

Confidential computing using secure enclaves protects data running in the CPU by creating a Trusted Execution Environment (TEE) to secure sensitive applications and data.  TEEs enable general purpose computation on encrypted data without exposing data or plain-text application code, and provide complete cryptographic protection for applications with the performance needed by enterprises.

However, the need for the CSP (News - Alert) to host the cryptographic keys used to encrypt and decrypt sensitive data presented a barrier.  Even though the TEE protects data and application code from root-user and unauthorized system access, the data remained at risk unless organizations maintain exclusive control over their encryption keys.  With a “Bring Your Own Key” (BYOK) approach, the CSP holds an organization’s keys to encrypt and decrypt data.  Not surprisingly, few security managers should be comfortable with this, and it has presented a security issue that needs to be addressed if the benefits of end-to-end encryption are to be fully realized.

Today’s innovations in cloud-native APIs allow users to integrate their own key management systems to retain control of their encryption keys.  With a “Bring Your Own Key Management Service” (BYOKMS) approach for confidential computing, organizations store their encryption keys in their data centers or within a contracted facility by using a hardware security module (HSM).  With keys retrieved from the HSM when they are required by an application, the API connects the HSM to the cloud service.  This allows the keys to work seamlessly with confidential computing in the cloud, with a single point of control for auditability and management.  As a unified system, BYOKMS can handle data encryption, tokenization, and shared secrets, while protecting data and applications on-premises, in hybrid clouds, and in public cloud environments.

With BYOKMS, organizations keep exclusive control over who can see their data, delivering a number of important benefits.  Controlling their own keys allows organizations to safely move applications to the public cloud, even if they must comply with regulations, such as the Payment Card Industry Data Security Standard (PCI (News - Alert) DSS).  Key management with regional isolation also helps with compliance with the EU’s General Data Protection Regulation (GDPR) and comparable data sovereignty laws.  Overall, BYOKMS significantly reduces the chances of key secrecy being violated in a shared infrastructure, including by government officials or the CSP itself.  If an organization’s Governance, Risk and Compliance (GRC) policies require pervasive data encryption, organizations can now adhere to them while migrating data and applications into multi-cloud, public cloud and hybrid environments.

Overall, BYOKMS leads to predictable consumption.  Organizations are now able to migrate cloud workloads across multiple environments to manage load levels without concern for data risk.  They can also integrate applications in a more flexible manner because it no longer matters where the data resides.  By storing keys in data centers that are close to critical apps, end-to-end cryptographic security with confidential computing will not slow down data processing.

Implementing the right technology is only part of the story around moving sensitive data to various cloud infrastructures.  Trusting the cloud involves a change in mindset toward the cloud.  Organizations need to be ready to embrace data security in the cloud, and developers must understand the new API landscape for securing data in the cloud.  Moving forward, security staff members have to think differently about the key management lifecycle.  This is because confidential computing is real.

About the author:  Anand Kashyap is the co-founder and CTO at Fortanix, and leads engineering and product development.  He also leads the customer acquisition and customer success process at Fortanix, working closely with customers and partners in enabling technical sales.  Previously, Anand worked at VMware through the acquisition of Arkin.  He developed the core engine for netflow analysis in VMware NSX environments, which is now part of the VMware vRealize Network Insight product.  Before VMware, he worked for several years as a lead researcher at the Symantec (News - Alert) Research Labs, where he developed foundational technologies used in several products, such as the Norton Mobile Security suite, Norton Core Router, Symantec Risk Insight, and Symantec Deepsight Intellgence.  He filed over 25 patents and presented in conferences such as Financial Cryptography and BlackHat.  Anand holds a PhD in Computer Science from Stony Brook University and a Bachelor of Technology in Computer Science from IIT Kanpur.  He has published 20 papers in top conferences and journals and his work has received over 1100 citations.




Edited by Erik Linask