As more sophisticated threat actors emerge and news of significant data breaches are pretty much a weekly occurrence, cybersecurity has become a boardroom level conversation, not just an IT one. That’s why we’re seeing increased interested in Confidential Computing across the enterprise, a compute strategy that allows data to be processed in memory without exposing it to the rest of the system by way of the utilization of a Trusted Execution Environment (TEE). The AWS TEE solution, AWS Nitro Enclaves, is something I was recently briefed on and wanted to cover here.
Before I dive into AWS Nitro Enclaves, some backstory is appropriate. In our recently-published report The Rise of Confidential Computing — Trust: The New Battlefield in the Age of Digital Transformation, my colleague Shelly Kramer and I discussed the benefits of Confidential Computing including ensuring data protection while data is being used and allowing the development of technology deployment options to protect against insider threats.
In today’s business climate when data breaches can cost millions in lost revenue and downtime, negatively impact careers, consumer trust, and brand reputation in significant ways, Confidential Computing is aimed to address a significant challenge that requires immediate attention. Cloud vendors are stepping up to meet this need with various solutions. Different vendors are taking slightly different approaches to address the need to provide trusted execution environments, and we believe that AWS Nitro Enclaves is taking a noteworthy approach that would benefit from further assessment and consideration of any cloud adopter.
AWS Nitro Enclaves is an EC2 feature that allows the user to create isolated environments that are strongly protected from other parts of the environment through the use of the hardware features of the physical cloud infrastructure. This allows a user to create or obtain enclave-based applications that they trust to operate on sensitive data or embody valuable intellectual property, without having to trust the security of their operating system, privileged administrators, or adversaries that gain access to their compute infrastructure. These enclaves provide no persistent storage, external networking, or human based access; they can only communicate through a trusted channel to the instance that created the enclave.
AWS Nitro Enclaves uses a secure virtual socket (VSOCK) interface, which is commonly available Open Source technology present in the Linux kernel since 2016, as the only communication channel between the “trusted” software running within the enclave and the “normal” or “untrusted” software running in the EC2 instance. The end result is a feature that encourages the adoption of compartmentalization and isolation patterns that protect data, and also meaningfully reduce the success of surface level attacks.
The best part? AWS Nitro Enclaves are processor agnostic and work with most Intel and AMD-based Amazon EC2 instance types allowing for the most flexibility for end users.
AWS has not adopted the term “Confidential Computing” in its marketing of AWS Nitro Enclaves. Presently, there are inconsistent definitions between industry analysts, consortia, and customers who are eager to improve their security posture. For some time now, IT departments have been tasked with securing data at rest and in transit through encryption, but there have not been widely available options for protecting data in memory. This has raised questions and concerns from management and regulators.
Some cloud providers have taken a marketing position that Confidential Computing enables you to trust a cloud vendor less by delegating responsibility to a trusted hardware manufacturer. AWS has always taken a strong position with clear messaging to their customers: AWS is responsible for the security ‘of’ the cloud infrastructure, while customers are responsible for security running ‘in’ the cloud.
The security and confidentiality of a customer’s compute workloads running on the latest generation EC2 instances is provided by a combination of technological and operational safeguards that AWS built into the AWS Nitro system — a unique combination of AWS-designed hardware and firmware. A component of that system is the Nitro Hypervisor, which is a firmware-based hypervisor that is responsible for using processor hardware features to strongly isolate physical system resources in creating EC2 instances and AWS Nitro Enclaves. The Nitro Hypervisor is unlike commercial-off-the-shelf or commodity open source virtualization solutions. It is purpose-built to meet the security and operational needs of AWS and its customers which include the most demanding and sensitive workloads running today.
Architecturally, some newer hardware-based technological safeguards for server processors such as AMD SEV-ES, AMD SEV-SNP, Intel® TDX, or Arm Confidential Compute Architecture (CCA) could be incorporated in the implementation of AWS Nitro Enclaves without meaningfully changing the user experience, or affecting enclave application compatibility. This provides a path for AWS to continue to raising the bar with the hardware features it uses for isolation and confidentiality.
Some customers may have requirements that steer them toward the direct adoption of vendor-specific hardware-based trusted execution environments such as Intel® SGX, rather than a TEE that supports multiple hardware vendors like AWS Nitro Enclaves. In those cases, a cloud provider will need to provide access to the proprietary hardware feature. Customers should keep in mind that this may reduce available capacity, or introduce additional implementation complexity.
AWS Nitro Enclaves can be utilized by any number of industries that may need to keep sensitive data safe, from financial services to defense and life sciences. AWS Nitro Enclaves help protect against any number of complex threats, from internal to external, by creating extremely controlled, limited, restricted user environments.
Some benefits of using AWS Nitro Enclaves include:
As we covered in our report, Confidential Computing is still in the nascent stages. All of the big cloud players are working to develop the most secure technology to protect data in any state that it exists. User preference and specific business need will always determine which is best for an organization.
We believe that the multi-year investments AWS has made in the hardware-based technology at the heart of the Nitro System is evidence of a larger trend: that Big Tech is increasingly addressing data security in novel and important ways. With AWS Nitro Enclaves, the result of these investments is placed directly into the hands of customers to isolate and protect sensitive data and processing in the cloud. Overall, we are bullish on the increased focus and commitment from the industry to address data security in all states. We expect big things ahead in the Confidential Computing and Trusted Execution Environment space, and AWS—as always—should be expected to compete diligently through its comprehensive offerings.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.
AWS’s Amazon Lookout For Metrics Solution Uses Machine Learning To Automate Business KPI Monitoring
AWS EC2 X2gd Instances Powered Using Home-Grown Graviton2 Processors
A Diverse Approach To AI Has AWS Uniquely Positioned For Growth
The original version of this article was first published on Futurum Research.
In this guest contribution from Steve Vonder Haar, Senior Analyst with Wainhouse, a Futurum Group…
In this guest contribution from Craig Durr, Senior Analyst with Wainhouse, a Futurum Group Company,…
Futurum's Daniel Newman dives into the recent announcement coming out of Micron, that they will…
Futurum analyst Michael Diamond recaps the Amazon Devices and Services event and reviews some of…
Futurum senior analyst Steven Dickens provides his take on the latest announcements coming out of…
Futurum’s Ron Westfall and Daniel Newman examine Micron’s financial results for the fourth quarter 2022…