Join the conversation on Kubescape’s Slack channels
From specific questions to random thoughts, whatever it is, you’re welcome to join the Kubescape...
Dec 6, 2020
General availability of Nitro Enclaves, recently announced by AWS, is Amazon’s way of delivering confidential computing to its customers. Following similar announcements by Microsoft Azure and Google Cloud, AWS announcement further confirms growing demand for additional runtime protection of customer’s data and other intellectual properties.
Security and confidentially of digital assets at-rest, in-transit and in-use have been the top concerns of companies moving to the cloud. While the focus in the last few years has been on protection at-rest and in-transit, the new wave of announcements around confidential computing enclaves by all top vendors show their commitment for further improvement of digital assets security, removing another barrier of cloud adoption.
Even though it is indeed a great security promise, the adoption of enclave based security will be determined first and foremost by the level of complexity it will add to development teams, and the amount of changes to the existing solutions and architectures as well as deployment complexity.
There is no unified way to utilize enclaves. Very few products may allow lift & shift, but most will require software development and architecture changes. With three or four (and counting) different enclave technologies available on the market and the huge amount of open source and 3rd party software products used in customer solutions, it is almost impossible to expect that all of them will use the same enclave technology or use enclaves at all, in an interoperable way. For example, there is no point in deploying REDIS inside enclave, if everybody who can query this REDIS run on regular VMs.
All enclave solutions available by the major cloud providers give developers the ability to utilize the confidential computing capabilities, usually via APIs and SDKs. It requires the developers to write code for a specific type of enclave, which basically breaks existing applications into two parts – the part that runs outside the enclave, and the confidential part that runs inside. Furthermore, developing software for enclaves require special technical knowledge and deep security experience, which raises the deployment barrier even higher.
Customers using the ARMO platform will natively benefit from the additional security of the enclave technology without any changes to their software or architectures. ARMO automatically detects the presence of the enclaves and moves all the critical security materials and functions inside them.
While each enclave technology attests the enclaved software in its own way, ARMO continuously attests customer software running outside of the enclave from within the enclave, building a chain of trust between the regular application running outside the enclave and the enclaved security anchor provided by ARMO and automatically shifting all the sensitive cryptographic materials into the enclaves. Only continuously attested applications can communicate with the enclaves and utilize these cryptographic materials.
The result is– ARMO brings the enclaves to the DevOps teams, tools, and methodology. Providing uniform compatibility with any existing application and cloud native architecture, ARMO allows DevOps to deploy their existing solutions on enclave-enabled devices instantaneously at the cloud scale and under single control plane.
* All use cases are supported out of the box, do not require changes to applications or architecture, and can be activated automatically by the DevOps during the deployment process
From specific questions to random thoughts, whatever it is, you’re welcome to join the Kubescape...
Former Google DevRel lead and co-host of the weekly Kubernetes podcast, Craig will lead ARMO’s...
ARMO’s Kubescape is an open, transparent, single pane of glass for Kubernetes security, used by...