Protecting Data In Use With Fortanix Runtime Encryption and Intel® SGX

Our mission at Fortanix is to solve cloud security and privacy. We recognize the importance of secure and private cloud computing in unlocking the true potential of the digital era. In fact, organizations consistently rate security as one of the top challenges as they migrate to the cloud.

Fortanix recognizes the vastness of compute infrastructure and the challenges that poses in providing a consistent security experience to customers as they constantly expand their cloud footprint. Additionally, many customers employ a multi-cloud strategy, further complicating their data protection strategy.

Rather than being forced to rely upon the infrastructure to remain secure under all circumstances, Fortanix is working to decouple application security from its dependence on the integrity of the underlying infrastructure. If application code and data can be protected without having to trust the infrastructure, business owners can better innovate on scaling their business. To help make this possible, Fortanix uses protected enclaves provided by Intel® Software Guard Extensions (Intel® SGX).

Intel® SGX is a set of new instructions available in Intel® Xeon® E processors. Intel® SGX helps protect applications from various attacks that may originate at the infrastructure and operating system level, by safeguarding select code and data from an unprivileged system software attacker or system startup (such as SMM).1,2

Fortanix further recognizes that data and applications need to be protected during their entire lifecycle. In fact, data security can be characterized in three phases: data at rest, data in motion, and data in use. Data at rest has long been secured using encryption. For example, many modern laptops have their hard drives transparently encrypted with a key that is derived from the user’s password. Thus, even if a hacker steals the laptop, they are not able to access data without knowing the password. Similarly, data in motion has been secured using Transport Layer Security (TLS). Thus, when we connect to a bank website using a browser, chances are the website server sends its content over “https” to the browser. The content is encrypted in the transit, securing it from various types of attacks. It’s only when the applications start to run on servers that their data become vulnerable, because the applications need to decrypt the encrypted data. Fortanix is developing a new type of data protection called Runtime Encryption* to precisely solve the challenge of keeping data in use protected.

Fortanix thus provides a complete solution that keeps data encrypted across all three phases—at rest, in transit, and in use. What’s truly remarkable about our approach is that, by leveraging the protected enclaves provided by Intel® SGX, we can provide our solution with the performance demanded by modern cloud applications.

By using Intel® SGX to underpin our solution, we directly benefit from all the performance and feature enhancements provided by the Intel® Xeon® E processor. And, since there is no custom hardware required, the customers benefit from their investment in the Intel ecosystem without purchasing any other hardware. Not only does it reduce the cost, but not requiring any custom hardware also simplifies customer’s operations and deployment process.

One of our products is Self-Defending Key Management System* (SDKMS). SDKMS delivers next-generation HSM, key management, tokenization, and encryption capabilities, all integrated as one solution with the scale and ease of use required for modern infrastructure tools. SDKMS works for both legacy and new applications, whether on-prem or cloud, because we provide PKCS#11, KMIP, JCE, CNG, MSCAPI, and REST interface. Customers can secure their PKI, encrypt their databases, encrypt their virtual SAN appliances, or secure their HD wallets using SDKMS. The SDKMS solution can be deployed across data centers using a cloud-native remote administrator web interface. Additionally, for customers operating in the public cloud, SDKMS is provided as SaaS in partnership with Equinix.

The new Intel® Xeon® E processor series empowers SDKMS appliance with a drastic improvement in speed and performance. With Intel® Xeon® E processors, SDKMS appliances see improvements across a variety of workloads. What makes this improvement especially interesting for Fortanix and our customers is that the improvements happened without requiring any rewrite of our software. And, thus we can expect similar benefits in future as the CPU innovation continues to progress relentlessly.

Ambuj Kumar is co-founder and CEO of Fortanix, Inc., You can follow him on LinkedIn and Twitter at @ambuj0.


1 No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://www.intel.com.
2 https://software.intel.com/sites/default/files/managed/01/7b/Intel-SGX-Trusted-Computing-Base-Recovery.pdf