AWS makes it easier to process data securely

  • November 3, 2020
  • Steve Rogerson

Amazon Web Services has announced the general availability of AWS Nitro Enclaves, an Amazon EC2 capability that makes it easier for users to process highly sensitive data securely.

Nitro Enclaves helps users reduce the attack surface for their applications by providing a trusted, highly isolated, and hardened environment for data processing. Each Enclave is a virtual machine created using the same Nitro hypervisor technology that provides CPU and memory isolation for EC2 instances, but with no persistent storage, no administrator or operator access, and no external networking.

This isolation means applications running in an Enclave remain inaccessible to other users and systems, even to users within the same organisation. With this isolation, the Nitro Enclave owner can start and stop, or assign resources to an Enclave, but even the owner cannot see what is being processed inside of Nitro Enclaves.

AWS also announced the launch of AWS Certificate Manager (ACM) for Nitro Enclaves, an Enclave application that makes it easier for users to protect and manage SSL and TLS certificates for their web servers running on EC2.

Many users across all industries have asked for help to protect highly sensitive data such as personally identifiable information, financial data, healthcare records and intellectual property, including from internal users within their own accounts. These users can protect their data with access controls and by using encryption while they are at rest and in transit, but encryption does not protect data when they are unencrypted at the point of use, for example a healthcare recommendations algorithm must have access to unencrypted patient data.

One method is to remove much of the functionality that an instance provides for general-purpose computing, for example networking, the ability to log into an instance, the capability to store and retrieve data and so on. But doing so renders the rest of the instance less useful.

To protect unencrypted data during processing, users often set up separate instance clusters for secure data configured with limited connectivity, restricted user access and other strict isolations. However, the possibility of human error in the setup and administration of such complex custom systems can lead to availability issues or security oversights, and managing these extra instances is an operational burden, an organisational bottleneck and expensive.

With Nitro Enclaves, users simply select an instance type and decide how much CPU and memory they want to designate to the Enclave. Nitro Enclaves provides the flexibility to partition varying combinations of CPU cores and memory, enabling users to match resources to the size and performance demands of their workloads.

They can develop Enclave applications using the open source Nitro Enclaves SDK set of libraries. The SDK also integrates with AWS KMS key management service so users can generate data keys and decrypt them inside the Enclave.

With ACM for Nitro Enclaves, users can easily isolate SSL and TLS certificates within an Enclave, making them usable by web servers on the instance while protecting them from access by other users or applications in the user’s environment.

SSL and TLS certificates are used to secure network communications and establish the identity of web sites over the internet or resources on private networks. ACM for Nitro Enclaves ensures sensitive data associated with these certificates never leave the Enclave, while also managing the revocation and renewal of certificates to reduce the need for manual monitoring and web server reconfigurations when a certificate expires.

“Customers often tell us that powerful built-in protections like the locked-down security model of the Nitro System are among the primary reasons why they trust AWS with their workloads,” said David Brown, vice president at AWS. “Nitro Enclaves builds on those same security and isolation models that have separated AWS for so many customers, delivering a more efficient method for securely processing highly sensitive data. This means customers can build and innovate faster in a way that still meets the highest bar for security.”

Nitro Enclaves is available on most Intel and AMD-based Amazon EC2 instance types built on the AWS Nitro System; AWS Graviton 2-based instance support is coming in the first half of 2021.

Anjuna Security provides simple, secure, enterprise-ready application and data protection against malicious software, IT insiders and bad actors.

“Our customers come to Anjuna because they want a simple way to get their applications up and running in a secure, isolated compute environment,” said Ayal Yogev, CEO of Anjuna. “The nature of our business has given us insight into different approaches for achieving this type of isolation. Our hands-on work with Nitro Enclaves confirms that this is a powerful solution for enterprises looking to process sensitive data in a way that protects these data from insider threats. Nitro Enclaves is exactly the type of innovation that has security-minded organisations looking to the cloud, and that’s why Anjuna is supporting the service to help AWS customers quickly lift and shift applications to Enclaves without recoding or changing processes.”