There is tremendous opportunity for application and solution developers to take charge of their data security using new hardware-based controls for cloud and enterprise environments. Intel® Software Guard Extensions (Intel® SGX), available in its second-generation on the new Intel® Xeon® E-2100 processor, offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. We believe only Intel offers such a granular level of control and protection.
Think about it like a lockbox in your home. Even though you have locks on your doors and a home security system, you may still secure your most sensitive data in a private lockbox with a separate key to provide extra layers of protection even if someone gained unwanted access to your home. Essentially, Intel® SGX is a lockbox inside a system’s memory, helping protect the data while it’s in-use during runtime.
This explanation is simplified, of course. It’s actually a complex engineering challenge to build a protection like this at the processor-silicon level and enable it with a broad ecosystem. Intel works with OEMs, OS vendors, and application developers to align on standards and implementation, and create solutions that can be deployed today in enterprises and cloud services. Cloud Service Providers (CSPs) now have an opportunity to expand their business to a greater range of sensitive workloads by deploying this technology which can help address enterprise security concerns and differentiate their services.
A Matter of Trust
Intel recommends a layered approach to security, with hardware security at the foundation. Intel® SGX helps protect user-selected sensitive data within an application, and sensitive application code itself, so you don’t have to solely rely on the security of other apps, the guest or host OS, or hypervisor. The more components of the system that have to be trusted, the wider the trust boundary, and therefore the more opportunities for exposure if one of those components was compromised. Intel® SGX offers a tighter trust boundary, narrowing it down to just the CPU and microcode. So even in the case of a rogue administrator or malware with read access to system memory, the attacker still wouldn’t have access to readable data within the Intel® SGX enclave. This provides added protection for your most sensitive data, such as private cryptographic keys.
Analogies and hypotheticals are useful to understand the technology, but with any new product, real-world demonstrations are what customers are after. Intel® SGX is already being utilized by security-conscious market leaders across a number of different domains for a variety of uses, including:
- Alibaba Cloud
- Baidu for Memory Safe Function
- Fortanix Runtime Encryption
- IBM Cloud
- Microsoft Azure Confidential Computing
- R3 Corda for Open Source Blockchain
Today, the most popular use of Intel® SGX is for key protection. This makes sense, since private keys are often the most sensitive data an organization has, as they are used to encrypt/decrypt confidential data. Check out my blog, The Key to Enhanced Data Protection, to learn more about key protection.
Security is a constantly evolving landscape. As we’ve highlighted, Intel® Xeon® E processors with Intel® SGX can be used in concert with existing data center infrastructure, to help protect the most sensitive portions of an application or data being used in a workload or service. We are working on an entire roadmap for Intel® SGX to scale across our Intel® Xeon® processor portfolio. Our Intel® Xeon® E processor line is the perfect place for service providers to start testing and building proofs-of-concepts. Find more information on the Intel® SGX website.
No product or component can be absolutely secure. Intel® technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at www.intel.com.