The cloud has become particularly popular, whether for using turnkey services, through SaaS (Software as a Service), or deploying your own applications and IT infrastructures, through PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).

However, deploying servers in the cloud does have consequences for the security of your information system and the confidentiality of the data it hosts. Even if you opt for data and network flow encryption, the cloud operator will still be able to access your information.

Intel TDX and AMD SEVns technologies.

When a company deploys a server in the cloud, it generally does so through a virtual machine. This approach not only enables operators to achieve significant economies of scale (by dividing each physical machine into several virtual machines), but also facilitates pay-as-you-go pricing for the resources used.

Both major processor vendors offer technologies for on-the-fly encryption of virtual machine memory: AMD’s Secure Encrypted Virtualization (AMD SEV) and Intel’s Trust Domain Extension (Intel TDX). Any virtual machine can be converted into a confidential virtual machine, in which memory is fully encrypted by the processor. All with an attestation mechanism to guarantee system integrity.

Thanks to confidential virtual machines, it’s possible to have the same security in the cloud as you would on private infrastructures. Google, Microsoft and Amazon now offer confidential VMs. To implement them, you’ll need a verifiability solution for your virtual machines and an encryption key management tool (KMS, for Key Management System). Both are available in the Cosmian vm and Cosmian kms packages respectively.

Going further: Intel SGX enclaves

Confidential virtual machines protect you from the hyperscaler, but not from system administrators who can connect to them. If you want to protect an application and its data, you’ll have to opt for another technology: enclaves. To date, only Intel offers support for enclaves, through Software Guard Extensions (Intel SGX).

Thanks to this technology, no-one, not even a system administrator, will be able to access the processing carried out by applications and their data. Enclaves are impenetrable black boxes that are finding a new lease of life with the emergence of artificial intelligence.

AI engines and models can be deployed on your customers’ servers, without them being able to steal your intellectual property.

Note, however, that enclaves can only run in a virtual machine. So you’ll need to opt for physical servers, or so-called “bare metal” cloud instances. Microsoft, OVH and Alibaba are just some of the players who can offer you Intel SGX-compatible servers. Although complex, the implementation of this technology within your applications will be facilitated by the use of a “Library OS”, such as that offered by Cosmian enclave.

Protect your data in the public cloud with Cosmian. Contact us for more information.