Digital transformation is accelerating at a rapid pace. This brings increased efficiencies and profits, but also opens organizations up to new and dangerous online risk. It’s encouraging, though, that many businesses embracing the digital world have come a long way—from security ignorant to security conscious to security vigilant. As a result, we’ve witnessed the gradual but rapidly accelerated adoption of solutions that manage and protect machine identities such as TLS certificates.
To be successful, organizations must employ machine identity management solutions that operate at scale with automation and intelligence across various environments. One important challenge for many organizations to accomplish that goal has been to secure the private cryptographic keys that are used to prove the authenticity of the server identified by digital certificates. Often, these private keys are protected in a suboptimal manner that incurs either prohibitively expensive overhead or undesirably high risk.
For customers of Venafi and Intel, this is a challenge no more! Combined with the best machine identity management from Venafi, Intel® Software Guard Extensions (Intel® SGX) secures private keys with an enclave-based solution that significantly reduces hardware cost and overhead while dramatically improving security.
Understanding the risk
Machine identities can be compromised when they are vulnerable in two scenarios: at rest and in use.
A highly discouraged, yet popular practice, is to store private keys at rest on the file system and rely on OS-provided controls to secure them. This outdated defense has little to no power with today’s sophisticated attackers. Of course, these keys are technically protected through encryption and more stringent access controls offer even higher protection, but that’s still not quite enough in today’s digitally transformed world.
What about the lack of protection for sensitive data in use in memory?
Imagine a TLS certificate on a web app. Any time the application is up, and people can access it, the certificate exists both in-memory and at-rest on the file system somewhere. If the app were offline or down, it would only exist at-rest.
This is significant because there is great risk from memory targeting attacks such as memory-scraping. And that risk only worsens as businesses move workloads to third-party cloud infrastructures, introducing additional humans to the operational mix. The fact that these peripheral humans hold the least stake in securing an enterprise customer’s business interest highlights the need for the strictest protections against human error in the public cloud.
In-memory protection from Intel and Venafi
Intel® SGX provides CPU encryption for a portion of memory to fend off unauthorized access to protected data in use. The integration of the Venafi Trust Protection with Intel SGX protects the private keys—or machine identities—when they are loaded on to the RAM of a shared cloud instance or a remote machine that's under control by another entity. Coupled with a hardware security module (HSM), the joint solution delivers end-to-end protection of the private keys while they are generated, stored, transported, and in use—in memory—and even in an untrusted sharing cloud environment.
How? The Intel SGX enabled server is not much different from a regular server equipped with Intel CPU in all other aspects of the computing. While Intel SGX servers are designed for general computing purposes, with added security enclave capability and Venafi’s collaboration, Intel SGX helps to eliminate any exposure of the private key through the full lifecycle of a machine identity. All this with little to no management or additional operational overhead or cost.
The Venafi Trust Protection Platform supports Intel SGX security enclave functionality without any changes to deployment and configurations. The Intel SKC service and the Venafi platform run on independent servers and connect through standard authentication protocols.
Try this unique security solution today – for FREE
Want to try it out in your lab? Venafi customers and prospects who have an interest in testing the solution out are invited to participate in our Early Bird Access Program, which provides Intel SGX hardware and Venafi Adaptable Driver. Participation is on a first-come-first-serve basis. This is a great opportunity to experience this unique solution firsthand and provide both Intel and Venafi valuable feedback on future development. Learn more and apply to the Early Bird Access here.
Visit the Venafi Marketplace for information on the Venafi Adaptable Driver for Intel SGX.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.