Cloud-based applications are becoming commonplace and bring with them a host of benefits for both user and developer. Cloud applications can be updated, tested, and deployed quickly, providing enterprises with the agility needed to compete in today’s business environment. Cloud-based applications don’t come without additional risk, however. For a cloud-based application to work it has to be able to read data in an unprotected format. That creates a little thing often referred to as an encryption gap. While encryption has proven itself an effective data protection measure it is largely limited to protecting data at rest and in motion but, historically, does not protect data that is in use. When data is being used by an application it is vulnerable to a variety of attacks. Attacking applications while sensitive data is exposed has become a preferred strategy for security hackers looking to leverage vulnerabilities.
Many are familiar with the term Runtime Encryption® but may wonder how it fits into the cybersecurity ecosystem. While only touching the basics, this article will give you a view of the essential ideas surrounding data-in-use protection using secure enclaves and Runtime Encryption®. A secure enclave is a hardware-based solution whereby data is decrypted, processed and encrypted again, before it leaves the protected environment of the processor chip, denying any opportunity for the data to be exposed in the encryption gap. Since the alternative to hardware secure enclaves is software homomorphic encryption, which is too slow for practical use in its current development, secure enclaves are the only viable option today.
The most commonly cited example for the use of secure enclaves is the modern smartphone. Critical authentication and payment information is stored and processed in a secure region of the CPU thus preventing exposure even if the kernel has been hacked.
To garner an expert’s view of enterprise-class hardware-based Runtime Encryption®, we spoke with Ambuj Kumar, founder and CEO of Fortanix. Fortanix is the leader in Runtime Encryption® designed for use in the enterprise. Ambuj explained that cybersecurity represents roughly a $100 Billion per year industry and is made up of two types of security. One is application security (AppSec) which addresses the question of whether or not an application has been written correctly. This segment represents $2 Billion per year of that $100 Billion and the remaining $98 Billion is used to address whether or not an application, or the data it uses, is protected from outside threats. This latter type of security has traditionally been attempted by hardening infrastructure, building firewalls, and perimeter protection methods and strategies; essentially building higher and higher walls around sensitive data.
Explaining that when Runtime Encryption® is in play, higher walls to protect data are not necessary. Ambuj said, “In the Fortanix world, all the security that is needed travels with the application. Even if your infrastructure is compromised, your application can protect itself. Fortanix provides Runtime Encryption® technology that keeps your applications protected from infrastructure threats. We decouple security from infrastructure. There is, essentially, a forcefield around the data, even when the data is in use.”
Runtime Encryption® unlocks new value for artificial intelligence apps. AI has the potential for transforming society and businesses. The effectiveness of AI depends on machine learning models that need to be trained with a considerable amount of data. The more relevant the input data sets, the better the AI algorithms. Creating smarter AI often requires collecting sensitive data. However, a lack of strong security controls limits the sharing of sensitive data and in turn inhibits the potential of AI. For example, how can researchers broaden their understanding of cancer without compromising patient privacy? How do we feed car sensory data to a self-driving AI engine without revealing the location? How can financial firms collaborate to build better credit models while ensuring compliance? A security framework is needed to ensure that sensitive data remains confidential even when in use by AI models.
By now, no doubt, you’ve noted that since enterprise Runtime Encryption® is a hardware dependent solution there may exist questions about the availability and compatibility of the required hardware. Chips powering cloud computing come equipped with their own version of secure enclaves, called trusted execution environments. Chips that provide a trusted execution environment include those from Intel, ARM, and AMD. AMD has its Secure Execution Environment, and ARM has TrustZone. Intel’s is Software Guard Extensions, or Intel SGX.
Keeping your sensitive data securely encrypted while it is stored, moves from point to point, and now while it is being integrated and processed is the goal and Fortanix believes they have found the way to solve the $98 Billion question with Runtime Encryption®. Their mission is to solve security and privacy and they believe that security should be deterministic. Traditionally, encryption has secured data at rest and in motion, leaving it vulnerable in use. Fortanix uses Runtime Encryption® to protect data in use, providing complete security protection throughout the lifecycle of the data, states their website.
To see and hear Ambuj explain how Fortanix uses the power of Runtime Encryption® to protect data, watch this Nasdaq Spotlight interview with Anna Gonzalez.