Building applications that protect data while it is in use has long been a challenge for the world of DevOps. After all, DevOps promotes the concept of fast software iterations, which can introduce security flaws into production systems. IBM aims to put an end to application data security angst in the form of IBM Cloud Data Shield, which runs containerized applications in secure enclaves on the IBM Cloud Kubernetes Service.
IBM Cloud Data Shield leverages Fortanix’s Runtime Encryption Platform, which brings deterministic security with runtime memory encryption to applications that protects data in use, without requiring any modifications to applications. Fortanix brings Intel Software Guard Extensions (Intel SGX) technology into the mix to further protect application data, by allowing developers to partition their application into processor-hardened enclaves or protected areas of execution in memory that increase security even on compromised platforms.
Ultimately, enhanced security is delivered to developers by deploying runtime encryption and Intel SGX technology into IBM’s Cloud Kubernetes Service. With IBM Cloud Data Shield, developers no longer need to worry about incorporating customized security code into applications before deploying those applications into containers. The benefits offered by that ideology are numerous.
“Businesses are in the early phases of the cloud journey and as they enter the next chapter they need an open, hybrid approach that enables them to develop, deploy and run apps securely in multicloud environments,” says Nataraj Nagaratnam, CTO for Cloud Security, IBM. “IBM Cloud Data Shield with Fortanix Runtime Encryption and Intel SGX is designed to make it easy for developers to protect data in use without having to change their application code.”
IBM Cloud Data Shield is still in beta, but is available to IBM Cloud Kubernetes Service customers who want to try it out. IBM Cloud customers can look forward to the following features while the service is still in beta:
- Fortanix EnclaveOS: Hardware abstraction layer that helps enable unmodified applications to be run with runtime encryption. Containerized applications can be protected with a one-step protection process that can be automated with CI/CD process.
- Enclave Manager: An orchestration service that is designed to allow applications running in enclaves to help establish trust and provides comprehensive visibility for compliance.
- Pre-configured Protected Applications: Secured enclave enabled containers for MySQL Database, NGINX web server, keys and secrets management and directory servers.
For developers, IBM Cloud Data Shield promises to speed up deployments while also bringing additional security to containers. “The ability to create encrypted enclaves with Intel SGX, now integrated into Fortanix’s Runtime Encryption platform running on IBM Cloud Data Shield, can help manage the growing volume of data-centric workloads,” says Window Snyder, chief security software officer and vice president of the Platform Security Division at Intel.