Intel® SGX Data Protections Now Available for Mainstream Cloud Platforms

The world’s top cloud service providers (CSPs) are working to deliver more secure computing in order to meet customer demand and help ease concerns about protecting the confidentiality of data in the public cloud. Encryption of data at rest and in transit has become standard best-practice, but encryption for data while active in memory is an important improvement for the entire cloud industry that’s just starting to take hold.

Intel® Software Guard Extensions (Intel® SGX) offers hardware-based memory encryption that helps isolate specific application code and data in memory, allowing user-level code to allocate private regions of memory (enclaves), which are designed to be protected from processes running at higher privilege levels. Intel SGX offers a very granular level of control and protection to ensure developers have maximum flexibility in protecting their data.

Intel® SGX

As I wrote last fall, Intel SGX is available on the latest Intel® Xeon® E3 processors and is currently being used by some of the top cloud providers, including Alibaba Cloud*, Baidu*, IBM Cloud Data Guard*, and Microsoft Azure* for various projects. Driving the ecosystem even further is Fortanix, which is building an entire line of business around the technology and servicing a wide range of clients.

However, the vast majority of cloud servers deployed today have dual-socket processors in them.  And though Intel SGX technology will be available on future multi-socket Intel Xeon Scalable processors, there is pressing demand for its security benefits in this space now. In order to address this immediate need, Intel is accelerating deployment of Intel SGX technology by innovating within the framework of a surprising source—the Intel® Visual Compute Accelerator (Intel® VCA) card.

Introducing the Intel® SGX Card

Image of the Intel SGX card from Intel Visual Compute Accelerator

Intel VCA is a purpose-built accelerator designed to boost performance of visual computing workloads like media transcoding, object recognition and tracking, and cloud gaming, originally developed as a way to improve video creation and delivery. In the Intel® SGX Card, the graphics accelerator has been disabled and the system re-optimized specifically for security purposes. In order to take advantage of Intel SGX technology, three Intel Xeon E3 processors are hosted in the card, which can fit inside existing, multi-socket server platforms being used in data centers today.

The Intel SGX Card hosts three independent Intel SGX-enabled CPUs used for offloading performance-hungry tasks that require additional protection, and attach to the platform via standard x16. PCI Express. A standard 2U Intel Xeon Scalable server can support up to four cards, meaning a total of 12 Intel SGX-enabled CPUs in the platform dedicated to the processing of sensitive data.

Figure 1

With software enabling, non-enclave portions of Intel SGX-enabled applications could scale up much further than before with access to larger, non-protected memory spaces with a larger number of cores, (Fig. 1). This has the benefit of providing some potential additional side-channel protections due to compartmentalization of sensitive data to a separate processor and associated cache.

Security for Today, Preparing for Tomorrow

Leading cloud providers are developing their plans to bring the Intel® SGX Card into their infrastructure, utilizing abstraction layers to test and develop software in preparation to scale once Intel SGX is available natively on future Intel Xeon Scalable processors. CSPs are acting now to meet customer demands for increased security.

Confidential computing will continue to be an important and growing sector of public cloud services. In addition to the projects from Alibaba, Baidu, IBM, and Microsoft Azure, Google released its open source framework Asylo for containerize apps, propelling development in a number of areas. As the industry matures, Intel will continue to bring world-class technology to the market and support a wide swath of partners, from OEMs to ISVs, with the tools and resources necessary to better secure public cloud workloads.

For more information on Intel SGX, read Jesse Schrater’s blog about the technology. For more detailed information about Intel® SGX Card architecture, read the product brief. Learn more about Intel’s support for CSPs at intel.com/csp.