Intel Says Its SGX Secure Enclaves Shine in Bare Metal Deployments

Bare metal is making a comeback, and Intel says its chip-based confidential computing fits better than VM-based alternatives.

Maria Korolov

January 21, 2021

5 Min Read
Intel Executive VP and General Manager Data Center Group Navin Shenoy speaks during an Intel press event for CES 2019 in Las Vegas.
Intel Executive VP and General Manager Data Center Group Navin Shenoy speaks during an Intel press event for CES 2019 in Las Vegas.David Becker/Getty Images

Last summer, Google announced that it was using AMD's 2nd Gen Epyc chip to offer protected computing environments to its cloud customers. This approach, also known as confidential computing, allows an entire virtual machine to run inside a hardware-enabled secure enclave -- similar to the secure element in a smartphone that contains payment data but large enough for enterprise applications.

Confidential computing prevents attackers from being able to eavesdrop on applications when applications work with data. Normally, data has to be decrypted for an application to do any work with it, which makes it vulnerable. Data-in-use is the final piece of the data encryption puzzle, solved by hardware-based confidential computing technology.

IBM also has a chip, used in its IBM Z mainframes, for hardware-based secure enclaves for virtual machines.

The other major player in the confidential computing space is Intel, whose secure enclave technology, Intel SGX, is designed to secure individual applications rather than entire virtual machines. As a result, developers have to rewrite their applications if they want to use the SGX features, though third-party tools are available to address some of this gap.

But Intel SGX has a major advantage over the virtual machine-based approaches when it comes to deploying on bare-metal serviers, according to Ron Perez, a fellow at Intel's Data Platform Group.

"There's a lot of interest in going back to bare metal to get the most performance and control," he told DCK. "That's one area where our technology excels. Not only is it usable by virtual machines, but you can use it even at the bare-metal level."

Bare Metal Growing in Popularity

Even as enterprises embrace ever-higher levels of virtualization, from virtual machines to containers to cloud functions, old-school bare-metal infrastructure is still in play for some use cases.

Without all those extra layers of abstraction, bare metal can enable higher levels of performance and security, although a lot depends on the kind of application deployed.

According to Market Research Future, the global bare-metal cloud market is expected to grow from $1.5 billion in 2017 to $7.7 billion by 2023 – a compound annual growth rate of 31 percent. 

Last spring, Equinix, the world’s largest colocation provider, paid $335 million for Packet, a company that specialized in fast, automated delivery of bare-metal infrastructure.

"Customers are looking for more control over their stack, greater performance, lower latency, and dramatically better cost efficiency," said Jacob Smith, one of Packet’s founders who is now VP of bare-metal marketing and strategy at Equinix. Bare metal allows companies to squeeze the maximum value out of their infrastructure, he told DCK, while using a common deployment approach across public clouds, on-prem environments, and at the edge.

And in December, Platform9 announced what it billed as the first cloud-ready, fully managed bare metal solution, allowing data centers to transform their physical servers into bare-metal clouds.

Bare metal is particularly important for new applications in 3D imaging, artificial intelligence, and machine learning, said Kamesh Pemmaraju, head of product marketing at Platform9.

Google Cloud has been taking its bare-metal offerings global over the last year, after launching them in late 2019.

"Bare metal has never not been popular," said Holger Mueller, an analyst at Constellation Research. The big three cloud providers don't talk about it much, he told DCK, but it's a critical part of some of their customers’ "lift-and-shift" scenarios, as they move applications from their own data centers to the cloud. "Whatever is in the application zoo of an enterprise can run on bare metal, because it’s practically your own server."

Most recently, edge computing has caused some enterprises to look beyond the traditional cloud environment, said Dave McCarthy, an analyst at IDC.

"There are many situations where infrastructure and applications need to be placed closer to where data is generated and consumed," he told DCK. "This is where bare metal fits in."

In particular, bare metal as a service allows providers to offer customers the greatest possible flexibility and control over their environment, he said.

"In many cases, these customers are other service providers looking to run workloads in geographic areas with much more granularity than a hyperscaler can provide," he said.

Bare Metal Security

Virtualized environments have multiple security concerns, said Jack Gold, president and principal analyst at J. Gold Associates.

"Taking away one extra level of attack surface doesn’t sound like much, but it can make a very big difference in security," he said. "If I can attack the underlying operating system layer, I can compromise any and all machines running on top. And I can potentially have bleed from one virtual machine to another that can cause a security or privacy issue."

Virtualized environments do offer the best combination of cost efficiency and agility, said Jesse Schrater, product manager at Intel. So, for most companies, the security technology they choose needs to support virtualized environments.

"And SGX does, as do the competitors," he said. "But not all environments are virtualized."

For example, he said, hardware security modules for key management are one application where both security and performance are critical.

"Those often are not virtualized," he said. "They are often fit-to-purpose appliances meant to do one thing and one thing only and do it very, very securely."

These are ideal use cases for Intel SGX.

"SGX is not dependent on the hypervisor," said Schrater. "There's a direct communication between the application and the CPU, so it can be used in a bare metal situation if that's what the application owner wants."

Intel SGX isn't completely unique in this regard. There are hardware-based secure enclaves in mobile devices, for example.

But when it comes to data centers, Intel SGX is currently the only platform that is hypervisor-independent, he said.

Data center managers who want to deploy Intel SGX secure enclave technology on bare metal can get it in a bare-metal cloud environment.

IBM Cloud, for example, has SGX in a bare-metal offering, said Schrater. So do Alibaba, Platform9, and OVH.

Equinix also offers Intel SGX security on its bare-metal platform, said Equinix's Smith.

And, of course, Intel SGX can be deployed in traditional on-prem data centers.

About the Author(s)

Maria Korolov

Maria Korolov is an award-winning technology journalist who covers cybersecurity, AI, and extended reality. She also writes science fiction.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like