If you were wondering why data breaches continue to rise despite the fact the security market is littered with vendors trying to solve that problem the answer may lie with the infrastructure.
Ambuj Kumar, the CEO of Fortanix, a developer of key management that provides hardware security module grade security with software-like flexibility, told EChannelNews all the defensive layers currently protect the infrastructure and do not do much for sensitive database apps.
Solutions such as firewalls, malware protection and sandboxing focus just on infrastructure. “The thought is if the infrastructure is secure then the data is secure too,” Kumar said.
The problem with that concept is most organizations are not on just one infrastructure. They have hybrid cloud, public cloud, private cloud and can be on AWS, Azure and IBM SoftLayer. According to Kumar, the fundamental problem with infrastructure is that it is too complex to be secure.
Fortanix’ solution is secured with Intel SGX technology and has been built for modern cloud-scale applications. Intel SGX is for protecting select code and data from disclosure or modification. The SGX technology provides protection through the use of enclaves, which are protected areas of execution in memory. The company has already been named a Top 10 finalist for the RSA Innovation Sandbox Contest for its Runtime Encryption and self-defending key management service.
With runtime encryption, there can be a secure view of the app workflow without trusting the infrastructure. “If an attacker comes into the network or if you have a malicious attack with root password access you can still be secure,” he said.
Established in 2016, Fortanix partnered with Intel to bring SGX to the commercial enterprise security space. This enables Fortanix customers to not have to trust the OS to keep apps protected.
For example, if a Linux kernel patch is not applied you are still secure. The zero-day vulnerability in kernels may give the attackers access but Fortanix does not need the OS to be secured or patched to supply full security.
“Customers are scared to put sensitive apps on the cloud. They want the economics of what the cloud offers but are worried that most of the sensitive apps will get exposed,” Kumar added.
Another alliance Fortanix has is with data centre provider Equinix. Equinix and Fortanix have a self-defending key management service that offers hardware security module with Intel SGX.
“If you operate in AWS and you have a bunch of keys for encrypting databases or tokenizing data you need to maintain them on premise to find out how the apps are operating on the cloud and that can be a nightmare,” he said.
Equinix offers a solution called SmartKeys in an as-a-service model to all major cloud providers and this enables customers to be one step away from hardware security module delivered as-a-service.