Confidential computing for enterprise-grade servers took a big step forward in the summer, when Google Cloud announced it was leveraging the AMD 2nd Gen Epyc chips to offer secure enclaves to customers. Customers could put entire virtual machines inside these enclaves to protect data with hardware-based encryption, even while applications were using it.
Normally, data is protected when it is stored or while in transit, but it must be decrypted for applications to work with it, creating a significant security vulnerability. Confidential computing addresses this issue.
Google and AMD weren’t the first to take the approach. IBM had a similar offering with its IBM Z chips, available both on IBM Z and Linux servers. Like Google’s, an IBM secure enclave was large enough to hold an entire virtual machine.
Intel has been a player here as well, with its Intel SGX confidential computing platform. But the Intel SGX secure enclave was initially a fraction of the size of the ones available from Google and IBM, making it suitable only for small or niche applications. Plus, unlike with Google or IBM, applications had to be rewritten specifically to take advantage of the Intel SGX feature. Finally, the technology was only available on workstations and difficult to deploy on data center-grade servers.
This week Intel addressed all those issues, announcing that its SGX secure enclaves will be available for larger servers, will be 1 terabyte in size – big enough to hold virtual machines – and, with help from third parties like Fortanix, users will be able to use the feature without rewriting their applications.
"We are bringing Intel SGX to mainstream dual-socket processors, specifically the upcoming 3rd generation Intel Xeon Scalable processors, code named Ice Lake," an Intel spokesperson told DCK. Intel expects to start “production shipments” of Ice Lake, its first 10nm-based Xeon Scalable server chips, by the end of the year, the spokesperson said.
"This advancement should open up the [Intel SGX] technology to far larger in-memory datasets and programs," Rob Enderle, principal analyst at Enderle Group, told DCK.
Those include financial, defense, engineering, and machine learning applications, as well as large consumer data projects in the healthcare and retail sectors. "In a world where state-level bad actors are going after these datasets to harm or mine them for information, this extra capability should be very well received," he said.
Lift and Shift
Microsoft Azure, the largest customer of Intel's confidential computing tech, already offers Intel SGX to its cloud customers and plans to deploy the new, larger secure enclaves next year, after the chips become available.
The company expects to provide details on machine specifications closer to availability.
Azure customers looking to secure existing applications are advised to use the Azure Portal and services from a partner like Fortanix to wrap their application in an Intel SGX-aware layer.
Customers writing new applications, or refactoring existing ones, can use the Intel SGX or other open-source frameworks, Anil Rao, VP and general manager for data platforms security and systems architecture at Intel, said in a presentation for journalists Wednesday.
Those are frameworks such as the Open Enclave SDK, Enarx SDK, and MesaTEE. That places "the most control in the hands of the developers or owners of the data," Rao said.
There are also “some new lift-and-shift capabilities emerging from our partners.” They include Fortanix, Graphene, Anjuna, and Scone.
This is different from AMD and IBM’s approach, where the interface with the secure enclave happens at the hypervisor level, enabling the applications to can stay as they are. But Intel's approach offers more security, Ambuj Kumar, co-founder and CEO of Fortanix, said.
"If you take and pack good software and bad together in a VM (like the AMD secure encrypted virtualization) the bad software can create a vulnerability for the good software," he told DCK. "But if you treat them separately with a greater level of isolation (like SGX), the good software is always protected from the potentially compromised bad software. Intel SGX requires you to trust fewer software components, which is more secure."
And when using a third-party partner like Fortanix, no rewriting of applications is necessary, he added. "Fortanix is providing the virtualization layer for confidential computing to make Intel SGX easy to use, have broad application support, and become pervasive," he said.
“There is absolutely no need to change existing VMs, containers, or application, nor is there any need to partition them," Kumar continued. "You simply identify what software you want to run securely inside an enclave, and Fortanix seamlessly creates the enclave to run the software."
University of California, San Francisco, an Azure and Fortanix customer, is building a data analytics platform, called BeeKeeper AI, which uses AI to process sensitive patient data. The platform will use Intel SGX to secure data.
“The solution enables healthcare data providers to maintain control and preserve the privacy of their data in ways that allow researchers and developers to accelerate the validation of proprietary models,” Michael Blum, associate vice chancellor for informatics and chief digital transformation officer at UCSF's Center for Digital Health Innovation, said in a statement.
"There was no need to change the algorithm or their code," Fortanix's Kumar said. "It is the same algorithm, same data, except now the algorithm IP cannot be stolen, and the patient data remains private, even from the researchers themselves."
Kumar expects Intel's Ice Lake to become the most common cloud and data center server chip, running databases, data lakes, data warehouses, ERP and other backend applications, containers, microservices, network proxies, and much more.
