Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

IBM Cloud Data Shield Brings Confidential Computing to Public Cloud

The Cloud Data Shield relies on confidential computing, which protects data while it's in use by enterprise applications.

IBM today announced the general availability of IBM Cloud Data Shield, a service built to better protect business applications while information is at rest, in transit, and in use. The platform, developed in a partnership with Fortanix, relies on confidential computing, a technology gaining traction as more organizations seek new ways to secure their sensitive data in the cloud.

Cloud Data Shield, which went into beta in late February, contains Fortanix's Runtime Encryption platform and Intel Software Guard Extensions technology. The combination enables "confidential computing," a term used to describe the protection of data in use by performing processes in a hardware-based trusted execution environment (TEE). A TEE ensures that only authorized code can execute in an environment and that external forces can't tamper with it. 

Modern approaches to cloud security address data at rest, when it's on a hard drive or in a storage system, and in transit, when it's moving between locations. Few secure data when it's in use by an application and exposed in memory. Data must be decrypted for an application to use it, making it possible for criminals or insiders to access the data while an application runs.

"A user with privileged access can take a memory dump at run time and could still access the sensitive information stored in memory," says Nataraj Nagaratnam, CTO and director of cloud security for IBM Cloud and Cognitive Software. In-memory encryption, another term for confidential computing, encrypts data in use to eliminate the possibility of exposure.

Cloud Data Shield lets users run containerized applications in a secure enclave on an IBM Cloud Kubernetes Service host. The service supports user-level code to allocate enclaves, which are protected from processes running at higher levels of privilege. IBM offers TEE-based secure enclaves in Bare Metal servers and in Kubernetes Nodes in all cloud data centers, and it teamed with Fortanix so clients could use TEE without learning the ins and outs of secure enclaves. 

"You don't have to understand how enclaves work," explains Fortanix CEO Ambuj Kumar. Cloud Data Shield runs containerized applications on IBM Cloud Kubernetes or Red Hat OpenShift, both in a secure enclave running on Intel SGX hardware. Customers can use their own custom application without modifying it to access all features of the service. When the container is converted, users can access a dashboard to see how the application is running.

"You get the visibility, and your software is now running securely without you having to configure or recompile your container," Kumar says. Application writers don't have to worry about changing anything. There is an option to use the open source Enclave Development Platform (EPD) to write native applications for confidential computing environments, IBM says.

During the year-long beta period, Nagaratnam says his team learned about clients' requirements to run different languages; as a result, they expanded the language capabilities: Fortanix's run time encryption OS lets containerized applications run in the secure enclaves with no code change, and it supports languages including C, C++, Python, and Java. They also learned the utility of having some curated applications, like NGINX, Vault, and MySQL, run on the TEE.

Confidential Computing: What It Is, Why It's Growing
Confidential computing is not new; however, it is becoming more broadly known and discussed as businesses look for new ways to protect sensitive data from this kind of threat. In August 2019 the Linux Foundation announced plans to form the Confidential Computing Consortium (CCC), a nonprofit made up of hardware vendors, cloud providers, developers, open source pros, and academics focused on defining and driving adoption of confidential computing. 

"It's always been a niche thing that's been hard to go mainstream, and it's really pretty new," says Jim Reavis, co-founder and CEO of the Cloud Security Alliance. This has begun to shift. The current attitude toward confidential computing mirrors the early attitudes toward the cloud.

"Twelve years ago, we saw interest in 'kicking the tires' on cloud, in general, to see if it was something that would be valid for highly sensitive information where you don't want any sort of a window of it decrypted," Reavis continues. Now, with confidential computing, businesses are trying to understand the types of attacks that require it and costs of application migration.

A few scenarios would require the security that confidential computing promises. Reavis points to insider attacks inside a cloud provider, where a business doesn't trust the infrastructure provided. While some attacks could resemble this, he says, providers are usually pretty secure.

There is a bigger interest in confidential computing from a compliance and risk management perspective, he continues. Organizations are worried about scenarios in which a cloud provider is in a foreign country, or has relations with a country, and the government requests access to data. They want to assure themselves they have decoupled provider access and root of trust, and know that the information is isolated in the secure enclave.

The interest is stronger in the military, central banks, and financial services organizations where "they do worry about disruptions to the supply chain or memory attacks that are very sophisticated," Reavis says. These days, there are actors who could pull those attacks off.

Questions remain about how comfortable businesses are with the secure enclave tech, which is a more secure architecture but still relatively young. Still, confidential computing is based on principles of isolation, sandboxing, and trusted platform modules that have been around for a long time. Sophisticated businesses are investing in this technology and starting to pilot applications.

"They definitely see this as a very solid concept," Reavis notes.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Learning From the Honeypot: A Researcher and a Duplicitous Docker Image"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...