Virtualization Technology News and Information
Securing Data that is Outside the Trust Boundary

Written by Nishank Vaish, Senior Product Manager Fortanix

There is a growing need to process or consume sensitive data outside the trust boundary. This is critical for some business operations; for example, sharing and processing sensitive healthcare data outside the organization for treatment insights and other purposes. However, security and compliance measures require that authorized users, likely in untrusted environments, do not have access to the sensitive data they're processing, or to the secure repository storing the sensitive data. But how do we know that the data will be secure in all these environments that are untrusted and often unknown?

Traditionally, sensitive data (PII, PHI, trade secrets, confidential information, etc.) is processed by applications (such as Hadoop, R, Python, TensorFlow, etc.) and typically resides within tightly secured and controlled production environments. These environments are known as the "trust boundary," where privacy and security of the data are assured.

A trust boundary is a logical perimeter that typically spans beyond physical boundaries to represent the extent to which IT resources are trusted. When analyzing cloud environments, the trust boundary is most frequently associated with the trust issued by the organization acting as the cloud consumer. The untrusted execution environment consists of surrounding infrastructure-for instance the operating system and system libraries-and human operators that are even less trusted. The trusted execution environment consists of one or more secure enclaves, which protect code and data in a sensitive workload. One solution to secure data outside the trust boundary is to enable sensitive workloads in an untrusted execution environment with the inherited confidentiality and integrity that guarantees protections provided in the trusted execution environment. This is easier said than done.

An application can come under attack from various threats that target different assets in both trusted and untrusted environments. Each threat actor can use any vulnerability in the application or underlying platform to get to the target asset. For example, a malicious insider can use an operating system vulnerability to obtain access to an application's cryptographic keys. Modern applications require a variety of secrets before being accessed, including TLS private keys, API keys, passwords, and more. A hardware-based trusted environment may provide a means of managing these secrets so that only secured and isolated memory locations, often called secure enclaves, can access the plaintext of a secret. Secrets are provided to an application only after the application has presented a valid attestation.

Handling data outside the trust boundary increases the risk of many unwanted security breaches. According to Verizon's 2019 Data Breach Investigations Report (DBIR), which analyzed more than 41,000 cybersecurity incidents and more than 2,000 data breaches from 86 countries, half of organizations are taking months or longer to discover their breaches. The report also focused on a variety of phishing attacks which were financially motivated. Some of the examples include 10,241,581 exposed records in the education space since 2005.

Security and compliance requirements mandate that individuals working on sensitive datasets in these untrusted environments cannot access the data they're processing. Use cases include analytics on multiple data sources to uncover money laundering (AML), cybercrime, or fraud; and analytics on multiple genetic/genome datasets, where data can never be exposed to the people running the analytics. Since organizations are worried about protecting their applications in the datacenter, they build security zones to protect critical infrastructure, use containers to isolate running processes, and use both distributed and perimeter firewalls to keep malware out. However, they are still concerned about security threats due to misconfiguration of policies and privileges, threats from malicious insiders, zero-day bugs, and advanced persistent threats.

Beyond the methods mentioned above, one of the ways enterprises secure their data and meet compliance requirements is by using hardware security modules (HSMs). HSMs are physical appliances traditionally built using proprietary hardware that can store cloud security encryption keys in a secure trusted boundary inaccessible to cloud providers and any other outside software. As a result, enterprises can securely store and use their keys in the cloud using HSMs. In a way, HSMs are the only place where one can expect some privacy from the cloud provider. Typical use cases for HSMs include payment processing, PKI infrastructure, key injection, database encryption, etc.

While processing the data from multiple sources, organizations need to assure security of the data when it is outside the trust boundary. One way to achieve this is for companies to deploy an end-to-end solution that protects the data-in-use without hampering the performance. The underlying product should provide a holistic outlook on security, which may include HSMs, IAM policy controls, key management, running applications in trusted environments, monitoring audit logs, etc. One approach that can help with this is to use security systems that can run high-end analytics applications inside secure enclaves. These enable the decrypted data from multiple sources to be processed inside the secured environment, and the results returned to the concerned party.

In summary, it is not possible to always process data inside the trust boundary, and keeping data safe outside the trusted boundary is not easily done. A smart plan combined with technology that is safeguarded by hardware can reduce the security vulnerabilities and process the application and data safely.

About Fortanix 

Fortanix's mission is to solve cloud security and privacy challenges. Fortanix allows customers to securely operate even the most sensitive applications without having to trust the cloud. Fortanix provides unique deterministic security by encrypting applications and data everywhere - at rest, in motion, and in use with its Runtime Encryption technology built upon Intel SGX. Fortanix secures F100 customers worldwide and powers IBM Data Shield and Equinix SmartKey HSM-as-a-service. Fortanix is a venture backed Gartner Cool Vendor headquartered in Mountain View, Calif. For more information, see

Fortanix Self-Defending Key Management Service (SDKMS) is the world's first cloud solution secured with Intel SGX. With SDKMS, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

Published Tuesday, July 23, 2019 8:26 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2019>