Protecting your stored data on the cloud is a concern, but it's easy enough with encryption. Thanks to SSL, it's simple to protect data in motion on the network. But protecting your data when it's being used on the cloud is not so simple. Enter IBM, which, in partnership with Fortanix, is now providing data-in-use protection for your container workloads running on the IBM Cloud Kubernetes Service with IBM Cloud Data Shield.
Jason McGee, IBM Cloud Platform VP and CTO, explained the process at KubeCon in Seattle: Data Shield uses Intel Software Guard Extensions (SGX) technology to run code and data in CPU-hardened Trusted Execution Environment (TEE) or enclave. This is a trusted area of memory, where critical aspects of the application functionality are protected by encryption. This helps keep both your code and data private and shielded from would-be hackers.
Data Shield also provides you with DevOps tools, which can be integrated with your existing build pipelines. With these, you can convert your container images to Intel SGX compatible counterparts with, McGee noted, "little to no code changes." With work, you'll be able to adopt Data Shield into your continuous integration/deployment (CI/CD) pipeline.
According to McGee, Data Shield provides a layer to wrap your application so that it can be encrypted and protected by SJX.
Installing Data Shield is easy, too. It's offered as a Helm chart, a Kubernetes package, and on the IBM Cloud. Intel SGX bare-metal servers are generally available across all regions on the IBM Cloud.
To use it, you just download and install it to your Intel SGX-enabled IBM Cloud Kubernetes Service cluster. If you go this route, you must "wrap" applications yourself with Data Shield.
Or, you can simply install IBM's Data Shield enabled applications. There are less than 10 at this time, but they include such popular programs as the MySQL database and the NGINX web server.
- IBM fighting counterfeiters with world's smallest computer (CNET)
- IBM Watson: A cheat sheet (TechRepublic)
Fortanix has its own product, Runtime Encryption Platform. With it, you can run applications within Fortanix's own secured EnclaveOS or modify or build applications, which can use SGX to encrypt your data.
This is a big deal. According to Forrester's recent report on Container Security, 43 percent of developers surveyed said security was a challenge to container adoption. With IBM Cloud Data Shield, some of those programmers will be more relaxed about moving their applications to containers on the cloud.