paint-brush
Cloud Data Security and the Need for Confidential Containersby@enclaive
1,706 reads
1,706 reads

Cloud Data Security and the Need for Confidential Containers

by enclaive GmbHOctober 30th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

The move to the cloud has been a bumpy road regarding security and data protection. Cloud computing allows companies to focus on what sets them apart, their products and services. Confidential Compute Container technology executes applications in a secure and trustworthy, and encrypted black box. Enclaive has come up with a series of ready-to-use and easy to-implement confidential containers for the most used open-source stack out there. The technology is not new and is an indispensable part of cloud computing.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Cloud Data Security and the Need for Confidential Containers
enclaive GmbH HackerNoon profile picture

The need for solid data security

Cloud computing is one of the most exciting innovations provided by the Information Technology Industry in the last decades. With the provisioning of computing infrastructure consisting of infinite computing and storage and network capacity, the operation of software has fundamentally changed: Companies can now build on infrastructure without being responsible for running it themselves.


They simply purchase only the capacity they actually need when they need it. This flexibility, coupled with easy scalability, comes with cost savings. Instead of using costly resources to maintain their own on-site data center, cloud computing allows companies to focus on what sets them apart, their products and services.


However, the move to the cloud has been a bumpy road regarding security and data protection. Today’s more sophisticated clients will ask what underlying technology is used, who owns the license and the intellectual property, or can this license be invalidated by any government. In other words, to what extent can I trust this service? When it comes to data: how is it secured, who owns it, who has access to it, especially under what circumstances, and under which jurisdiction?

Confidential Containers explained

With Confidential Cloud Computing, a technical solution has become a reality to separate the provision of the compute infrastructure from the actual use of the infrastructure, as well as to be able to prove compliance with data regulations protection information and IP. Technically, the separation is realized by utilizing the Confidential Compute Container technology, which, in simple terms, executes applications in a secure and trustworthy, and encrypted black box, so that the cloud provider cannot see any of the code and/or data being processed. The truly innovative aspect of the technology is that not only the storage ("data in rest") or transport ("data in transit"), but for the first time also the processing of the data is always intransparent ("data in use"). This isolates the data processing from the operating system and the applications running on it. During processing, neither the (cloud) service provider, administrator, nor a (compromising) third party has access to the data.


This container technology is not new and is an indispensable part of cloud computing. A container is the most essential component of a cloud application. In its simplest form, it is an application. Containers can be efficiently started, stopped, or migrated and composed.


A Confidential Container differs from a normal container in that it is encrypted and authenticated. Applications are started in an enclave. For this purpose, the CPU reserves an area of physical memory before the boot process. A process that the operating system loads into the area are encrypted by the CPU. Only the CPU knows the key, which is freshly generated after each boot process derived from a unique hardware key. The TPM property of the CPU protects the key from extraction.

Figure 1: Confidential containers are programs and data that are loaded into an encrypted storage area so that content and execution can be authenticated and verified in encrypted form.

Another innovation of Confidential Containers is that they can be authenticated. The author of the container signs the image. This means that containers not only have an identity but can also be easily standardized and certified.

In a nutshell:

Figure 2: Container Features

Enclaive’s core project: “The Base”

Enclaive has come up with a series of ready-to-use and easy-to-implement confidential containers for the most used open-source stack out there. We build easy-to-use containers with the extra power that the container application is full memory encrypted at any moment in time during execution and can also prove its confidential state to a third party.


Our “base” is a fully managed container registry, that helps you store, manage and deploy containers easily and wherever you need. We cover everything from database, to data-in-use and analytics. And the beauty of it is that you do not need to worry about how to operate your own containers or about the underlying infrastructure.

What exactly is included in “the base”?

Web Servers

Easily and reliably host a website for your business, organization, or project while retaining complete control over your site’s underlying infrastructure. Enclaive gives you flexible options to shield your website and deal with the privacy challenges of your customers.

Development Runtimes

Create and execute your applications in a secure and shielded way. Enclaive provides flexible encrypted containers sized for any application, industry-leading performance, and predictable pricing.

Data-in-use/Encrypting DBs

Build and release faster with scalable store products on-premise or in the cloud. Enclaive provides encrypted database solutions meeting the privacy needs of your business and makes sure customer data — the most valuable asset — find a protective place.

Content Management Systems / eCommerce

Sell your product with ready-to-use eCommerce platforms. Enclaive provides modular content management and eCommerce platforms suited for any B2B and B2C application, industry-leading price to performance, and security and privacy to shield customer data and the reputation of your business.

Analytics

Derive new value and business opportunities from sensitive data assets that were previously not possible. Enclaive provides GDPR/CCPR-compliant processing of data and protects the intellectual property of models. Share business data with any neuronal network without leaking business information. Shield trained networks from intellectual property infringement while running on your customers’ premises neither revealing any information about the network nor allowing to copy and replicate the network and data.

IoT/Edge Computing

Build and release faster with scalable IoT messaging products in the cloud. Enclaive provides flexible containers sized for any application, industry-leading communication protocols for enterprise-ready performance, and the highest level of cybersecurity.

So to sum up: why should you use our Confidential Containers instead of the “vanilla” version”

The following benefits come for free with the confidential version of our containers:

  • A Confidential Container gives data the safest place an application/database can give going beyond encryption ("data at rest")
  • It provides a significantly reduced attack surface thanks to hardware-based memory protection. At any moment in time, the microservices in the confidential containers processing the data, storing data in the SQL database, and forwarding the data to other microservices are protected. Neither enclaive nor the hosting provider can inspect the data.
  • Hardened security against memory dumps, query, and user de-anonymization including kernel-space exploits, malicious and accidental privilege insider attacks, UEFI firmware exploits, and other "root" attacks using the corruption of the application to infiltrate your network and system
  • Runs on any hosting environment irrespectively of geo-location and complies with privacy export regulations, such as Schrems-II
  • GDPR/CCPA compliant processing ("data in use") of user data in the cloud as data is anonymized thanks to the enclave

About ENCLAIVE

enclaive is a deep-tech high-growth technology company working on solving some of the most challenging and interesting technology projects around confidential computing. We strongly believe confidential computing is a game-changing technology that is key to cloud computing's mass adoption. Enclaive answers the essential question: “Why should I trust a cloud.”