If you want to protect your data, you encrypt it. That’s a well-established countermeasure. We encrypt data at rest. We encrypt data in transit. What about when your data is memory or being processed in the CPU? That’s been a tricky area, historically. This is where Fortanix offers a solution.
According to Ambuj Kumar, CEO of Fortanix, data is vulnerable at runtime. Threats include malicious insiders, root users, firmware compromise, operating system zero day attacks and others. While this insight is not new, the intensity of the threat has increased in recent years. And, earlier solutions introduced their own challenges.
Homomorphic encryption, which encrypts data at runtime, is viewed as cumbersome by some in the industry. A CPU processing runtime data with homomorphic encryption is dramatically slower than it would be with unencrypted data. As a result, use cases for homomorphic encryption tend to favor situations with extreme protection requirements, like national security.
Fortanix provides an alternative approach to runtime encryption. Their solution takes advantage of Intel’s Software Guard Extensions (SGX). As aptly described by MIT computer scientists Victor Costan and Srinivas Devadas, SGX is the “latest iteration in a long line of trusted computing designs, which aim to solve the secure remote computation problem by leveraging trusted hardware in the remote computer.” As they put it in their paper, “Intel SGX Explained,” The trusted hardware establishes a secure container.
With SGX and the Fortanix runtime encryption platform, it is possible to conduct general purpose computation on encrypted data without exposing either plaintext application code or data. The cryptographic protection does not have the level of performance overhead that comes with homomorphic encryption. It is also more flexible, able to work on any Linux machine.
The Fortanix model is gaining traction. IBM Cloud Data Guard, for example, is powered by Fortanix Runtime Encryption platform. Cloud Data Guard provides services and toolkits for users of containerized applications. This enables organizations with sensitive data to work with cloud computing.