AWS Nitro Enclaves: Create isolated environments to protect highly sensitive workloads
Amazon Web Services announced the general availability of AWS Nitro Enclaves, a new Amazon EC2 capability that makes it easier for customers to securely process highly sensitive data.
AWS Nitro Enclaves helps customers reduce the attack surface for their applications by providing a trusted, highly isolated, and hardened environment for data processing.
Each Enclave is a virtual machine created using the same Nitro Hypervisor technology that provides CPU and memory isolation for Amazon EC2 instances, but with no persistent storage, no administrator or operator access, and no external networking.
This isolation means that applications running in an Enclave remain inaccessible to other users and systems, even to users within the customer’s organization. With this isolation, the AWS Nitro Enclave owner can start and stop, or assign resources to an Enclave, but even the owner cannot see what is being processed inside of AWS Nitro Enclaves.
AWS also announced the launch of AWS Certificate Manager (ACM) for Nitro Enclaves, a new Enclave application that makes it easy for customers to protect and manage Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for their webservers running on Amazon EC2.
Many customers across all industries have asked for help to further protect their highly sensitive data like personally identifiable information, financial data, healthcare records, intellectual property, and more – including from internal users within their own accounts.
Today, customers can protect their data with access controls and by using encryption while it is at rest and in transit, but encryption does not protect data when it is unencrypted at the point of use (e.g. a healthcare recommendations algorithm must have access to unencrypted patient data).
One solution is to remove much of the functionality that an instance provides for general-purpose computing (e.g. networking, the ability to log into an instance, the capability to store and retrieve data, etc.), but doing so renders the rest of the instance less useful.
To protect unencrypted data during processing, customers often set up separate instance clusters for secure data configured with limited connectivity, restricted user access, and other strict isolations.
However, the possibility of human error in the setup and administration of such complex custom systems can lead to availability issues or security oversights, and managing these extra instances is an operational burden, an organizational bottleneck, and expensive.
With AWS Nitro Enclaves, customers simply select an instance type and decide how much CPU and memory they want to designate to the Enclave. AWS Nitro Enclaves provides the flexibility to partition varying combinations of CPU cores and memory, enabling customers to match resources to the size and performance demands of their workloads.
Customers can develop Enclave applications using the open source AWS Nitro Enclaves SDK set of libraries. The AWS Nitro Enclaves SDK also integrates with AWS Key Management Service (KMS), allowing customers to generate data keys and to decrypt them inside the Enclave.
With ACM for Nitro Enclaves, customers can easily isolate SSL/TLS certificates within an Enclave, making them usable by webservers on the instance while protecting them from access by other users or applications in the customer’s environment. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet or resources on private networks.
ACM for Nitro Enclaves ensures that sensitive data associated with these certificates never leaves the Enclave, while also managing the revocation and renewal of certificates to reduce the need for manual monitoring and webserver reconfigurations when a certificate expires.
“Customers often tell us that powerful built-in protections like the locked-down security model of the Nitro System are among the primary reasons why they trust AWS with their workloads,” said David Brown, Vice President, Amazon EC2, at AWS.
“Nitro Enclaves builds on those same security and isolation models that have separated AWS for so many customers, delivering a more efficient method for securely processing highly sensitive data. This means customers can build and innovate faster in a way that still meets the highest bar for security.”
AWS Nitro Enclaves is available on the majority of Intel and AMD-based Amazon EC2 instance types built on the AWS Nitro System (AWS Graviton2-based instance support is coming in the first half of 2021).
AWS Nitro Enclaves is available today in the US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) regions, with more regions coming soon.
Anjuna provides simple, secure, enterprise-ready application and data protection against malicious software, IT insiders, and bad actors. “Our customers come to Anjuna because they want a simple way to get their applications up and running in a secure, isolated compute environment,” said Ayal Yogev, CEO and Co-Founder of Anjuna Security.
“The nature of our business has given us insight into different approaches for achieving this type of isolation. Our hands-on work with Nitro Enclaves confirms that this is a powerful solution for enterprises looking to process sensitive data in a way that protects this data from insider threats.
“Nitro Enclaves is exactly the type of innovation that has security-minded organizations looking to the cloud, and that’s why Anjuna is supporting the service to help AWS customers quickly ‘lift and shift’ applications to Enclaves – without recoding or changing processes.”
castLabs pioneers software and cloud services for digital video markets worldwide. “As a globally operating cloud service provider handling our clients’ most valuable data and encryption keys, we’re striving to achieve the highest levels of data security, isolation, and trust,” said Michael Stattmann, CEO and Founder, castLabs.
“Working with an advanced security technology usually increases overhead, but with Nitro Enclaves, achieving a confidential computing implementation is easy to develop and deploy, using much more familiar technologies.”
Evervault provides simple SDKs for developers to encrypt sensitive data as it enters their infrastructure, and to process that data without ever exposing it. “Our mission is to encrypt the internet,” said Shane Curran, CEO, Evervault. “Nitro Enclaves provides the perfect platform to make this happen, because it’s the best way to protect data in use.”