There is a way to protect unencrypted data in use
- By Steve Orrin
- Dec 09, 2015
For all IT professionals, the most daunting – and persistent – challenge is data security, but the challenge is particularly acute in the defense and intelligence communities. Their networks are high-value targets, both for disruption and content. In fact, nearly 12 percent of the 783 reported U.S. data breaches in 2014 came from the government and military sectors.
It’s a problem that many Defense Department agencies have chosen to fight using encryption, but this approach has at least one big flaw. While the data is encrypted when it is being stored – i.e., at rest – and sent to devices – that is, in transit – once it’s on a user’s computer, laptop or tablet, the user’s application has to work on it “in the clear.” So, if the application has a flaw, or the device has been infected with any of a host of malware, the data is at risk.
Therefore, the challenge is how to protect data while it is in use. Typically, there hasn’t been an effective answer for this end of the process. But new technology might help address this particularly thorny part of the challenge.
One method currently under development is the creation of secure memory enclaves on CPUs. Also known as software guard extensions, security enclaves carve out a dedicated portion of memory. Much like traditional enclaves – territories that are walled off and distinct from everything else that surrounds them – security enclaves create a safe haven that protects data from the rest of memory. They do this by isolating data from the rest of the platform. As result, even in a hostile environment, critical information can be protected.
Here’s how a security enclave works. By modifying a portion of their code, application providers can replicate elements of their functionality inside the enclave. When the user calls for data to be sent, it can be delivered into the enclave. It is there – in this secure, electronically walled-off portion of memory – that the application can interact with and use the data. The CPU also encrypts this memory, so that even if an attacker can read memory they can’t get access to the enclave because the memory is encrypted and blocked off from the operating system.
In addition, not only is the data protected by the user’s device, it’s verifiable. The data center providing the information can verify an enclave is in place before sending the data. Likewise, it can verify information being sent to it is coming from an enclave. If the device can’t confirm it can create an enclave, the server won’t send the information; conversely, the server won’t accept data from a device that doesn’t have an enclave. This reduces the system’s attack surface to a single point that can be tested for every transaction.
It’s worth noting that using the enclave approach doesn’t stop attackers from penetrating a system. Any attacker with the wherewithal to do so may still be able to initiate a breach.
However, organizations using security enclaves can still protect their data, even during (or after) a breach. That’s because government security professionals can protect classified and sensitive information at the CPU level – they can put data in the system without having to trust everything on that system. It’s like the bank robber who’s successful in getting through the front door of the financial institution, but is unable to gain access to the locked safe.
Enclaves could prove to be major advancements in security for those working in hostile environments, such as an enclave-protected online video chat and collaboration session. Over time, as the microprocessors are incorporated by device manufacturers, it could change the entire security landscape, especially for those seeking answers to the data-in-use question.
At my company, we are working with code developers across the marketplace in preparing for the availability of secure enclaves. The technology has been tested and demonstrated, and it works. For example, we recently worked with a major Web browser developer to test the efficacy of the process. The developer successfully placed its OpenSSL library in an enclave. That library was deemed secure, and the test worked.
Security enclaves can also be applied to the applications and data being used by Defense Department employees, and may prove to be a significant new weapon in the war against cyber threats. Enclaves can hold down the fort even after the enemy gets past the initial security measures, while successfully protecting data in use.
Steve Orrin is federal CTO for Intel.