David Fairman, APAC CIO and CSO, Netskope, outlines why data in memory is increasingly becoming a target for attackers – and what can be done about it.
It’s no secret that Digital Transformation has led many companies to move sensitive information to the cloud. Organizations rely on Software-as-a-Service (SaaS) and solutions residing in public clouds to process almost every type of information.
Companies are also frequently transferring data outside their own organization in the process of collaborating with their partners for purposes of value creation. For example, understanding customer demographics and behavior patterns might require a business to share customer data with strategic partners. Consider a bank that partners with an airline to sell an airline-aligned credit card.
The bottom line is that, in many industry sectors, companies have found that moving crucial customer or financial data offsite – for one reason or another – is necessary to maintain a competitive edge.
However, transferring data across shared environments comes with an element of risk, as the organization can lose some control over how that data is managed and protected.
On the whole, cloud service providers and SaaS companies inherently offer capabilities to secure data when it is in storage and when it is in transit. They use solutions that encrypt all their data channels for network and Internet traffic. They also encrypt raw data, behind the scenes, when sitting in storage. This is generally a big uplift when compared to how data is secured when hosted internally.
Unfortunately, there is one more state that data exists in, and the security effectiveness around data in transit and data in storage has driven some attackers to pursue it as a relatively new attack vector: data in use.
Many applications decrypt data for processing and do not encrypt it again until after analytical functions, calculations or other activities are complete. And while the information is in the system’s memory, it is exposed to possible attack.
Over the past year or so, attackers have become increasingly capable of compromising applications, firmware or hardware in ways that give them access to data in use. The threat that data might be extracted during processing is growing so rapidly that companies need to start considering how their cloud providers and business partners plan to address the risk.
Privacy-enhancing technologies (PETs) are designed to protect data in use. Examples of these technologies include multiparty computation, zero-knowledge proofs and homomorphic encryption. Multiparty computation allows for parties to jointly compute a function over their inputs while keeping those inputs private.
Zero-knowledge proofs allow an entity to convince a third-party of an assertion without revealing any further information beyond the fact that the assertion is true. Homomorphic encryption enables a system to process and analyze data in a secure, encrypted format without needing to expose the raw data in memory. The trouble with these and other PET methods is that they can be susceptible to underlying firmware and hardware vulnerabilities.
This is where a subset of PET solutions called ‘confidential computing’ comes into its own. Confidential computing creates a secure enclave within the system memory underlying a public cloud platform.
This enclave is a container that has extremely tight controls around exactly which code can access the data within the container. The secure enclave embeds encryption and decryption keys, as well as access controls, within the system memory and it blocks access attempts by any code that is not specifically authorized to be there.
So, even if there is a vulnerability in an application, operating system, hardware or firmware, no malware will be able to access or manipulate data within memory unless it has explicit permission to do so. For all unauthorized code, the trusted execution environment denies access and prevents any requested actions from being performed.
Think about threat actors that exploit a vulnerability in an application which gives them kernel access to the underlying operating system. From there, they can perform screen scrapes, memory dumps and more, because the operating system is controlling how the data is processed in memory.
By contrast, a confidential computing approach essentially keeps data secure the whole time it is undergoing analysis or computation. The trusted execution environment serves as a gateway between any data that’s being used in memory and any code that requests to access that data, whether it’s an operating system or application. Even if attackers could execute a memory dump, the data that they would be able to access in memory would come out encrypted.
We’re regularly seeing more hardware and firmware vulnerabilities come to light. I believe that is in large part due to the industry getting better at dealing with software vulnerabilities. In many cases, however, hardware vulnerabilities are currently the soft underbelly of cloud technologies.
For that reason, I expect to see increasing numbers of adversaries trying to exploit the weaknesses of hardware and firmware to gain access to data in use.
As businesses become increasingly aware of this risk, I expect confidential computing to rapidly grow in popularity. Financial services will likely start rolling it out first, since heavy regulations usually mean financial institutions lead other industry sectors when it comes to any type of data security. I expect other industries will follow suit fairly quickly.
Healthcare and insurance organizations will probably be a close follower after the big banks, as will critical infrastructure organizations, such as defense firms and power companies, because they are often in the crosshairs of adversaries trying to steal or manipulate data.
While awareness of the issue is just now starting to emerge, confidential computing is a technology that every business should be aware of. In the near future, every organization that processes critical data in the cloud should be evaluating whether its cloud providers are using confidential computing to secure data in use.
Click below to share this article