As we have seen in several major cybersecurity breaches, attackers will prey on a system’s weakest points to harvest its data. An important source of vulnerability occurs at runtime, when data is in use. In response, enterprise developers must leverage runtime encryption technologies with effective key management to secure sensitive data — and this is especially true in the cloud/multicloud environment.
However, while runtime encryption solutions using hardware-aided security have been available for years, they were not available in the public cloud. But this is changing. [Editor’s note: Fortanix is one of a number of companies that offer runtime encryption services.] Cloud service providers (CSPs) now offer hardware platforms that enable runtime encryption solutions to be deployed in the cloud. Innovative new solutions for key management, along with an end-to-end approach to encrypting and securing data when it’s at rest, in transit, and in use, are critical, as are related functions required to make cloud runtime encryption viable.
Data Security: The Two-Thirds Solution
Traditionally, it has been possible to protect data by encrypting it at rest and in transit. This got organizations two-thirds of the way to complete data protection. At runtime, however, data pulsing through the CPU was exposed. Before today’s increasing adoption of technologies such as Intel Software Guard Extensions (Intel SGX), runtime encryption was impractical. Comparable solutions, such as fully homomorphic encryption, have proved impractical for many of today’s complex application use cases.
Requirements for Effective Runtime Data Encryption
New runtime encryption solutions fill the security void when data reaches the CPU by creating a trusted execution environment (TEE) within which sensitive applications and data are protected. TEEs enable general-purpose computation on encrypted data without exposing plaintext application code or data and are designed to provide complete cryptographic protection for applications at the performance level that enterprises require.
To provide holistic protection, however, runtime encryption solutions must take a life cycle-based approach to data security. From the earliest stage of application development, the solution must be capable of integrating encryption and/or tokenization to secure sensitive data, in addition to the hardware-aided security provided by a TEE. Leveraging centralized logging of cryptographic operations and policy definition/enforcement for auditability and compliance should also be an important part of the management life cycle. The solution must be able to guarantee the execution of validated software securely inside a TEE, where it is protected from all threats while ensuring the security of data at rest and in transit.
The Cloud: A Runtime Data Security Conundrum
A potential barrier to the end-to-end security that runtime encryption must provide has been the need to host the keys used to encrypt and decrypt sensitive data by the CSP. Although securing data at runtime using a TEE protects application code and data from unauthorized system or root-user access, the data remains vulnerable unless organizations maintain exclusive control over their cryptographic keys. With “bring your own key” (BYOK) functionality, organizations can provide a known key to encrypt and decrypt data, but the CSP holds this key within its proprietary key store — which should make security managers uncomfortable. The problem of securing data and cryptographic keys on a CSP’s platform must be resolved if the benefits of runtime encryption are to be fully realized.
Better Security Controls for Cloud Workloads
Innovations in cloud-native APIs make it possible for users to integrate their own key management systems in order to retain control of the keys that applications deployed in the cloud require. With a “bring your own key management system” (BYOKMS), organizations store their encryption keys in a hardware security module (HSM) in their data centers or within a contracted facility. The API connects the HSM to the cloud service, with keys retrieved from the HSM when needed by an application. This enables keys to work seamlessly with runtime encryption in the cloud, with a single point of control for management and auditability. As a unified system, BYOKMS solutions can handle data encryption, tokenization, and shared secrets while spanning on-premises, hybrid cloud, and public cloud environments.
With BYOKMS, organizations retain exclusive control over who can see their data. This enables a number of specific benefits, including:
- Compliant application mobility: When organizations control their own keys, they can move applications to the public cloud, even if they are bound by regulations.
- Distributed security: By combining a zero-trust model and an “interconnection-first” approach, organizations can distribute security as a means to address scale and integration challenges.
- Keys less likely to be compromised: BYOKMS cuts down the odds of key secrecy being violated in shared infrastructure. Even the CSP or government officials won’t be able to access them.
- GDPR compliance: Key management with regional isolation provides compliance with the EU’s General Data Protection Regulation (GDPR) and other data sovereignty laws.
- GRC standards met within a multicloud environment: If your organization’s governance, risk, and compliance (GRC) policies call for pervasive data encryption, you can now adhere to the policies while migrating applications and data into multicloud, public cloud, or hybrid environments.
More broadly, the BYOKMS approach leads to predictable consumption. Organizations can move workloads across multiple clouds to manage load levels without concern for data vulnerability. They can also integrate applications more flexibly because it doesn’t matter where the data resides. Data is protected at runtime across all instances, even in the public cloud. This is possible without negatively affecting application performance. By storing keys in data centers that are close to critical apps, end-to-end cryptographic security incorporating runtime encryption won’t slow down data processing.
Putting Cloud Runtime Encryption to Work
Moving sensitive data to cloud infrastructure is only partly about getting the right tools. Trusting the cloud involves a change in mindset. You must be ready to embrace runtime encryption in the cloud. Your developers should understand the new APIs for securing data in the cloud. Security staff tasked with key management must think differently about the key management life cycle. All of this is possible, though. Runtime encryption in the cloud is real.
Faiyaz Shahpurwala is the Chief Product and Strategy Officer for Fortanix. Prior to Fortanix, he held key senior leadership positions at IBM and Cisco. He was most recently VP/GM for IBM Cloud, and before that he was SVP at Cisco Systems, … View Full Bio