When one thinks about all the connections a digital document, log, image or other set of data must traverse in moving from a server to another server and eventually to a storage location, we don’t know the half of it. Most times the number of virtual handshakes and handoffs are many more than we ever realize.
In fact, if you file your tax return online (remember, July 15 is the deadline!) to a service such as TaxAct, TurboTax or HR Block, that document will be dispersed to about 35 different servers for processing. And that's only at the end point.
Unless you are a networking admin or an IT manager, you generally don’t even think about all those interactions. We just know that when we push a button on our connected device, something we want to accomplish is going to happen.
There are some other people, however, who are interested in all these connections, and they aren’t your friends. They are nefarious information-stealers who look for leaks in these transactions and attempt to intercept important personal information along trade routes.
Closing a nagging gap in data security
These gaps in networking communications is what a new startup, Anjuna Security, is all about. Anjuna aims to halt the loss of important data if it slips through the fingers of a network, and the manner in which it does this is an interesting story indeed.
Anjuna, which is launching both its product and itself June 30, has come up with a way to embed high-end security into server processors so that the data is protected all through the process, from start to finish. The current convention—which has been the case throughout IT history—is that data is vulnerable at various times when it is in motion, as described in the lead of this article.
Palo Alto, Calif.-based Anjuna has focused its security expertise on something called secure enclaves—designated sections within a processor that provide CPU hardware-level isolation and memory encryption on every server while the data is being used. They do this by isolating application code and data from anyone with privileges and encrypting its memory.
With additional software, secure enclaves enable the encryption of both storage and network data for full-stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD, Anjuna CEO and co-founder Ayal Yogev told eWEEK, which announced the launch exclusively June 29.
Thus Anjuna claims to be the closer of that long-embedded critical gap in data security, using full hardware-grade protection to enable new and existing applications to run without having to be rewritten. Anjuna’s Enterprise Enclaves enable hardware runtime data protection to data-at-rest and data-in-motion, while at the same time solving one of the longest-running flaws in enterprise data security; that data cannot be used and secured simultaneously—a flaw at the heart of virtually every enterprise data breach.
No way to protect unencrypted data in an in-memory database
Most people don’t know that there is no way to secure data inside in-memory databases such as SAP HANA, Redis, Couchbase, VoltDB, Oracle In-MemoryDB, MemSQL and others. The data inside must already be encrypted in order to secure it, and that presents another set of problems for administrators that requires another article to explain.
“Software-based security is inherently flawed, because data-in-use is fundamentally not secured in memory or the CPU. As a result, security teams play a never-ending game of cat-and-mouse with bad actors—building software barriers they know will eventually be breached,” Yogev said. “This means CISOs live in a rather uncomfortable perpetual state of data insecurity.”
That might be the understatement of the year. One won’t find many CISOs who sleep completely soundly every night. But what Anjuna has developed might well enable CISOs to put away their sleeping meds.
“What we’re doing is building a software on top of those secure enclaves to make it ready for the enterprise,” Yogev told eWEEK. “I don’t think that Intel realized how amazing what they’ve built is. Like when Intel built the CPU, they knew they built something amazing, but I don’t think they could’ve foreseen the birth of the iPhone, or AR/VR, or the things that were built atop those CPUs 20 or 30 years later.
“I think this is the biggest shift in security since public infrastructure. When public key infrastructure (PKI) was created, nobody realized that Amazon and e-commerce was going to build on top of it. This is the same kind of shift that’s going to allow some pretty amazing technologies.”
The common current problem
While software security solutions offer some protection, they are invariably hit by attackers who gain full control of servers or encryption keys exposed in memory during runtime. Encryption keys are central to most data protection schemes. When exposed, security tools can no longer protect data or applications from malicious insiders, unauthorized third parties and other bad actors, such as rogue nation-states.
In recent years, such CPU vendors Intel and AMD and others added proprietary security features into their high-performance CPUs. These enhanced instruction sets enable chip programmers to create these secure enclaves—fully protected and encrypted regions of computer memory effectively invisible outside the enclave. To utilize these functions, however, requires rewriting software code—sometimes extensive rewriting.
“These new silicon-level technologies solve the data security flaw—a great first step to opening up applications we can’t even imagine today,” Yogev said. “They finally solve the data insecurity challenges that have plagued companies, for decades: building extremely complex layered security software defenses that never totally eliminate the ever-present threat of incursions.”
Broad industry support through consortium
CPUs with secure enclave capabilities are already being used in the newest servers for data centers, and public cloud vendors are also adopting the technology. Anjuna is a member of the Confidential Computing Consortium, a group formed by the largest industry players to bring this technology to commercial use. Led by Microsoft, Intel and AMD, the consortium is driving deployment of new data secure cloud services based on these secure hardware platforms, such as Azure confidential computing, Baidu and more.
Even with secure hardware within reach, enclaving an application is still not a simple process for enterprises. Proprietary software developer kits do not generate applications that can run on multiple hardware platforms. This makes implementing enclaves a time consuming and expensive process that most enterprises aren’t willing to undertake on their own.
“We knew enterprises couldn’t afford to rewrite applications for each hardware platform, “ Yogev said. “That’s why we created a way for them to deploy fully managed enterprise-class enclaves that span memory, storage, networks and clouds instantly—simply, as is, and without any recoding.”
A 'state of absolute data security for all data'
Yogev said he sees a future in which enterprises achieve “a state of absolute data security for all data and applications anywhere they are used.” This security running 24/7 in the background on servers will enable new ways to deploy data and applications more effectively, he said.
Michael Johnson, former CISO of Capital One and former CIO of the U.S. Department of Energy, said in a media advisory that “Anjuna delivers on the the promise of a new level of data security by addressing the problem CIOs and CISOs have chased for decades: how to seamlessly run trusted workloads in uncontrolled and/or hostile environments and prevent data leaks—all while maintaining productivity. Now CISOs can feel comfortable saying yes to the cloud—knowing their information is secure, no matter where it is run or stored.”
Yes, and now perhaps they can get some uninterrupted sleep at night.
Availability: Anjuna Enterprise Enclaves software is available now directly from Anjuna and through the Microsoft Azure confidential computing marketplace.