Today's top stories

Hardware, software options emerge for runtime encryption

Hackers are getting better at exploiting encryption gaps that expose plain-text data. New hardware and software runtime encryption solutions aim to close those gaps.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

When it comes to cloud applications, enterprises have an encryption gap. Encrypting data while it is in storage is straightforward, even if many companies are still neglecting to do it. So is encrypting data while it is in transit. But what about data in use?

For a cloud application to be able to do anything with the data, it has to see the data in plain-text form. That means that an attacker or insider with access to the application's environment can look over its shoulder, so to speak, and read the data. This is the security gap that Spectre and Meltdown present.

Until recently, the only solution for enterprises was to run the applications client-side, and use the cloud for storage only. Now, several technologies have recently emerged that address this problem from both the hardware and software side. Google, Microsoft and IBM all have solutions either in place or in the works, and several startups are working in the space addressing specific use cases.

"This is a really new area," says Deborah Kish, an analyst at Gartner. Because it's so new, there aren't any market size estimates yet, she says. "I think it's promising, and I think it's a little early for its time."

A secure enclave on a chip

Secure enclaves are already in wide use on smartphones to store critical authentication and payment information. The idea is that encrypted data goes into the protected enclave, where its decrypted, processed, and then encrypted again before it leaves. Because the encryption happens with hardware, it's fast and reliable.

A similar technology is available on the chips powering cloud computing, including those from Intel, ARM and AMD, called trusted execution environments. AMD has its Secure Execution Environment, and ARM has TrustZone. Intel's is Software Guard Extensions, or Intel SGX.

"The enclave is not available to the operating system," says Ambuj Kumar, co-founder and CEO at Fortanix. "If you find a zero-day bug in the operating system, the enclave is secure. If you have a malicious insider with access to the system, the enclave is secure. If you have a physical attacker who is able to get into all my memory, that still does not break runtime encryption because the enclaves are embedded in the CPU."

Fortanix offers a platform that allows existing applications to access the secure enclave. "When data is demanded by the application, it gets decrypted in chunks," he says. "The application thinks it is operating on decrypted data — the data always becomes magically available when the program needs to use that data."

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.