11. On Premise
Confidential Computing: Options
for protecting application data in
memory
Can the application be containerized ?
vSphere 7 Pods
IBM Secure Execution
for Linux
IBM LinuxONE
IBM z15
Can the protected enclave be limited to 128MB
?
Intel Software Guard
Extensions (SGX)
Application isolation
Yes
VM isolation
VM isolation
Container isolation
Supports secrets built
into enclave;
Support for memory
overcommit
No
Yes
No Yes
IBM Hyper Protect Virtual
Servers (HPVS)
IBM LinuxONE
IBM z15
Container isolation
Established toolchain
(inc. IBM HSM - KYOK);
Support for memory
overcommit
Yes No
* Majority of modern languages/hosting deployable without change
• Java ‘out of the box’ provided using right JDK
• NodeJS / Javascript
• ISV Software is usually recompiled already.
• Many open-source software already available.
• CLR for .Net applications ( targeted Q4 ‘21 )
Willing to change the application design/code to use protected enclave ?
Can the application be deployed on s390x architecture ? *
Can the application be containerized ?
No
vSphere 7
Linux KVM
Limited to 92MB
memory (vSphere
vSGX);
Vendor specific
implementation;
Only specified memory
is protected
AMD Secure Encrypted
Virtualization -
Encrypted State
(SEV-ES)
AMD Secure Encrypted
Virtualization -
Encrypted State
(SEV-ES)
s390x
x86
Can’t overcommit memory
allocated to VMs;
Vulnerabilities in all but
latest processors
Can’t overcommit memory
allocated to Containers;
Vulnerabilities in all but
latest processors
Yes No
12. Hybrid Cloud : On Premise and
Public Cloud Services Confidential
Computing: Options for
protecting application data in
memory
IBM Secure Execution
for Linux
IBM LinuxONE
IBM z15
VM isolation
Supports secrets
built into enclave;
Support for memory
overcommit
IBM Hyper Protect
Virtual Servers (HPVS)
IBM LinuxONE
IBM z15
Container
isolation
Established toolchain
(inc. IBM HSM -
KYOK);
Support for memory
overcommit
Able to leverage services from the public cloud to combine with On Premise
implementation ?
IBM Cloud Data Shield
IBM Cloud Hyper
Protect DBaaS
IBM Cloud Hyper
Protect Crypto Services
Public cloud DBaaS
Public cloud Crypto
service
Virtual Servers Containers
IBM Cloud Hyper
Protect Virtual Servers
Able to Develop and Test on the public cloud ?
s390x - On Premise IBM Cloud services
LinuxONE virtual
servers
Only service in the
industry that’s built
on FIPS 140-2 Level
4-certified hardware;
Keep Your Own Key
(KYOK)
MongoDB
PostgreSQL
FIPS 140.2 HSM
Run containerized
applications in a
secure enclave on
Kubernetes;
Secure enclaves
using Intel SGX and
Fortanix
Fully managed
database on
LinuxONE;
Control encryption
keys with Crypto
Services
On Premise Confidential Computing
Use cases from IBM CIO Office perspective:
Risk analysis and business case approach (expected cost of a breach as costs are shifting meaning more breaches and more expensive breaches, vs. expected cost of security)
IT use cases where there is particular relevance
Increasing scope of encryption when workloads are migrated to private cloud
Hybrid workloads where sensitive data moves across cloud and on-prem
Support increased security for region-specific data-sensitive workloads in the cloud
AI and ML use cases; and data in a Z environment
The next frontier of data protection:
When we talk about end to end data protection, we are talking about the three pillars of data security.
Data at rest:
Files stored on servers, records in databases, etc.
Protecting data at rest means using methods such as encryption, anti virus, and firewalls so a malicious actor can’t access information inactive data being stored on a device or network.
Data in transit:
Information as it moves between servers and applications such as emails and instant messaging.
For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving the data via encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) transactions in and out of a server.
There are technologies that exist today on the LinuxONE III machine that protect these two states of data and code such as Pervasive Encryption for general LinuxONE workloads, hardware-accelerated technologies and Hyper Protect services.
Additional (CPACF coprocessor - to perform the encryption and decryption, Crypto Express Card – to store and present the master key used to encrypt and decrypt the data)
However, what is lacking today is protecting the third pillar of data security: Data in use.
Data in use:
Data in use is data that is being processed by a running application or being accessed by a user. Ex. various applications such as Banking Software, Java Applications, Databases that are all running and may have open sensitive files.
Confidential computing:
So, how do we protect data while it is in use?
Tech companies are adopting a new security model that they’re calling confidential computing that uses hardware-based techniques (emphasize) to protect data in use.
The key is controlling access to the data as tightly as possible and to provide a way to securely process unencrypted data.
Keep in mind, the protection of these data states are complementary and do not supersede or replace the other existing protections.
So to recap - today, data is often protected at rest and in transit, but not while in use by applications. And, in order to implement technical assurance, end to end protection must be achieved.
As a result, organizations with applications that handle sensitive data such as financial transactions, or health information are often unable to take advantage of the benefits of cloud and multi-party computing.
The IBM Secure Service Container architecture exploits the Crypto Express6S HSMs so that institutions can run Docker containerized applications and micro-services in an industry unique, FIPS 197 compliant, trusted, cryptographically isolated execution environment with up to 16TB of real memory available.
The next frontier of data protection:
When we talk about end to end data protection, we are talking about the three pillars of data security.
Data at rest:
Files stored on servers, records in databases, etc.
Protecting data at rest means using methods such as encryption, anti virus, and firewalls so a malicious actor can’t access information inactive data being stored on a device or network.
Data in transit:
Information as it moves between servers and applications such as emails and instant messaging.
For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving the data via encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) transactions in and out of a server.
There are technologies that exist today on the LinuxONE III machine that protect these two states of data and code such as Pervasive Encryption for general LinuxONE workloads, hardware-accelerated technologies and Hyper Protect services.
Additional (CPACF coprocessor - to perform the encryption and decryption, Crypto Express Card – to store and present the master key used to encrypt and decrypt the data)
However, what is lacking today is protecting the third pillar of data security: Data in use.
Data in use:
Data in use is data that is being processed by a running application or being accessed by a user. Ex. various applications such as Banking Software, Java Applications, Databases that are all running and may have open sensitive files.
Confidential computing:
So, how do we protect data while it is in use?
Tech companies are adopting a new security model that they’re calling confidential computing that uses hardware-based techniques (emphasize) to protect data in use.
The key is controlling access to the data as tightly as possible and to provide a way to securely process unencrypted data.
Keep in mind, the protection of these data states are complementary and do not supersede or replace the other existing protections.
So to recap - today, data is often protected at rest and in transit, but not while in use by applications. And, in order to implement technical assurance, end to end protection must be achieved.
As a result, organizations with applications that handle sensitive data such as financial transactions, or health information are often unable to take advantage of the benefits of cloud and multi-party computing.
GCP plans to support: Ubuntu v18.04, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2,