The Rise of the Confidential Compute Cloud
Confidential Compute (CC) is a powerful new paradigm, embarking on the cloud computing space. It won’t take much time and a cloud will naturally transform into a confidential one. There are several strong arguments. All of them are centered around creating business value and growth in data-driven sovereign societies. The reason is Confidential Cloud Computing raises the bar in securely storing and most notably processing data in use. In fact, Confidential Cloud Computing is an important cloud enabling technology to base data-driven SaaS and PaaS applications on solid foundations.
Enclaive’s Confidential Container Stack “The Base” for Azure’s DCs-Series
While the Azure team did some wonderful work to provide CC-ready compute infrastructures, the missing building blocks are CC-ready applications. In the last decade, container technologies have established and simplified the deployment, integration, and management of software in the cloud. In fact, they are the cornerstone in the development of cloud applications. Confidential Compute Containers are the natural evolution. They are compatible with DevOps best practices like Docker, Kubernetes and OpenShift. Leveraging confidential compute, they added some important functionalities, including:
- Fully in-memory encrypted execution to conceal data and code
- Encrypted and authenticated (shared) volume/files to persistently store data
- Container authentication to identify the author and application code
- Container attestation to remotely verify the container identity
- Container (secret) provisioning to update the volume with files, environment variables or secrets
Putting it all together, The Base is a solid collection of open-source applications to build, test and deploy a plethora of cloud applications.
Getting Started: 3steps to a Confidential Cloud
Enclaive’s “The Base” Containers are compatible with DevOps best practices like Docker, Kubernetes, and OpenShift. All they require to be executed is a VM supporting Intel SGX technology (DCsv2/DCsv3-series).
Quickstart: Available on Azure Marketplace
The Base is also available on the Azure marketplace
Build via GitHub
To run a confidential compute base container, set up a VM and pull the image:
1. Configure an Azure DCs-series VM
Note, in the configuration all drivers are upstreamed.
2. Pull the confidential container from enclaive’s github repository
3. Start (building) the container
Use Case: Data-in-Use Encryption in MariaDB
Databases play a key role in cloud applications today. So, the protection of data is crucial for any business. Data-at-rest and data-in-transit are concepts that have been introduced to protect databases. One of the longest open problems was protecting databases while in use. In contrast to data-at-rest encryption, the data is protected in memory during execution. That means not only the data file system is encrypted, but also the query processing it. Effectively the database runs in a black box and acts like an oracle: one can challenge the oracle; however, one learns nothing about the data within the oracle.
With enclaive’s confidential container technology data-in-use protection comes from the container packaging. Below a demo showcasing what happens when one inserts a SQL query into a non-confidential and confidential MariaDB container. The first allows reading the database content after a memory dump while data can only be seen encrypted with the confidential container version.
Youtube Link: https://youtu.be/PI2PosrdrCk
Use Case: Data-in-Use Integrity Protection of protected Volume/Files against Container Escapes
Container escape is a security risk in which malicious players can leverage a containerized application’s vulnerabilities to breach its isolation boundary, gaining access to the host system’s resources. Once an attacker accesses the host system, they can escalate their privilege to access other containers running in the machine or run harmful code on the host. Container escape and privilege escalation attacks can be devastating — costing you sensitive information from files or databases or leading to entire applications going down.
Confidential Containers enable a new kind of volume to mount a protected file system. A protected volume/file system can either be confidential and/or authenticated. This way, one may protect against attempts to extract sensitive information from files or their modification. In a container escape, for example, the attacker may attempt to alter configuration files, extract secrets, and environment variables. Below is a demo showcasing what happens when one attempts to modify a file in a non-confidential and confidential container. The first allows to replace the content from a file while reading. The enclaive protected file system detects the modification.
YouTube Link: https://youtu.be/RnZjhZinOE8
Enclaive’s mission is to ease the development of confidential compute environments and help developers, devops, and businesses to deploy in confidential clouds. Next to the open-sourced “The Base” community containers enclaive offers and maintains a larger portfolio of Confidential Compute enterprise ready containers and services, reducing time and costs to leverage a confidential cloud.
For more information, check out:
Get in touch via firstname.lastname@example.org to explore how enclaive technology helps you. Join us on Discord to become part of the growing open-source enclaive community.
The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.