December 6, 2020

ARMO Announces Nitro Enclave support - making it DevOps ready out of the box

Shauli Rozen

CEO & Co-founder

Enabling enclaves-based security is key for enterprise cloud adoption

General availability of Nitro Enclaves, recently announced by AWS, is Amazon’s way of delivering confidential computing to its customers. Following similar announcements by Microsoft Azure and Google Cloud, AWS announcement further confirms growing demand for additional runtime protection of customer’s data and other intellectual properties.  

Security and confidentially of digital assets at-rest, in-transit and in-use have been the top concerns of companies moving to the cloud. While the focus in the last few years has been on protection at-rest and in-transit, the new wave of announcements around confidential computing enclaves by all top vendors show their commitment for further improvement of digital assets security, removing another barrier of cloud adoption.

The constraints for wide adoption of enclave-based solution

Even though it is indeed a great security promise, the adoption of enclave based security will be determined first and foremost by the level of complexity it will add to development teams, and the amount of changes to the existing solutions and architectures as well as deployment complexity.

There is no unified way to utilize enclaves. Very few products may allow lift & shift, but most will require software development and architecture changes. With three or four (and counting) different enclave technologies available on the market and the huge amount of open source and 3rd party software products used in customer solutions, it is almost impossible to expect that all of them will use the same enclave technology or use enclaves at all, in an interoperable way. For example, there is no point in deploying REDIS inside enclave, if everybody who can query this REDIS run on regular VMs.

All enclave solutions available by the major cloud providers give developers the ability to utilize the confidential computing capabilities, usually via APIs and SDKs. It requires the developers to write code for a specific type of enclave, which basically breaks existing applications into two parts - the part that runs outside the enclave, and the confidential part that runs inside. Furthermore, developing software for enclaves require special technical knowledge and deep security experience, which raises the deployment barrier even higher.

ARMO eliminates the enclave’s complexity, making it seamlessly available for DevOps teams

Customers using the ARMO platform will natively benefit from the additional security of the enclave technology without any changes to their software or architectures. ARMO automatically detects the presence of the enclaves and moves all the critical security materials and functions inside them.

While each enclave technology attests the enclaved software in its own way, ARMO continuously attests customer software running outside of the enclave from within the enclave, building a chain of trust between the regular application running outside the enclave and the enclaved security anchor provided by ARMO and automatically shifting all the sensitive cryptographic materials into the enclaves. Only continuously attested applications can communicate with the enclaves and utilize these cryptographic materials.

The result is– ARMO brings the enclaves to the DevOps teams, tools, and methodology. Providing uniform compatibility with any existing application and cloud native architecture, ARMO allows DevOps to deploy their existing solutions on enclave-enabled devices instantaneously at the cloud scale and under single control plane.

Top Enclave Use Cases Supported by ARMO

* All use cases are supported out of the box, do not require changes to applications or architecture, and can be activated automatically by the DevOps during the deployment process

  • Automatic service to service mutual TLS tunneling where corresponding private keys are protected by the enclaves.
  • Data encryption (including transparent file, field and object store assets encryption) with cryptographic keys that never leave the enclaves.
  • Runtime authentication of any regular software from within the enclaves – Enclave Periscope.
  • Gradual transitions between regular and confidential computing infrastructures without expensive security expertise and without developing complicated end to end systems for enclave attestation and secret distribution
  • Provide enclave-protected authentication and crypto services to developers via flexible APIs, but without the need for enclave expertise and without building expensive end-to-end systems for enclave support.

Go Back to Blog