Using Confidential Computing to Protect Function-as-a-Service Data

Vishal Gupta Fortanix
Vishal Gupta
Published:Jul 10, 2020
Reading Time:4 Minutes

Organizations are embracing the power of Function-as-a-Service (FaaS). FaaS can be viewed as a very positive and beneficial result coming from years of data successfully migrating and operating in public clouds.

AWS Lambda, Azure Functions and Google Cloud are today’s market leading platforms for enterprises to realize the power and benefits of FaaS.

FaaS likely won’t replace all an enterprise’s IT functions in public clouds but leveraging FaaS for most of the stateless business operations can help organizations realize the economies of scale and ROI from their public cloud deployments.

But with FaaS emerging on the scene, organizations may wonder how best to protect their cloud data and orchestrate security in public clouds.

Enterprise key management services powered by secure enclaves are an effective approach to not only securely executing programs and business logic in a FaaS environment, but also enabling the entire execution to be protected and achieve the secure attributes of confidential computing.

Secure enclaves enable enterprise key management services to secure data not only during runtime, but also to protect it if the hardware is ever compromised. This enables organizations to leverage the benefits of public clouds, but not make their security in the cloud public.

Enterprise key management services as a rule should be highly scalable, have built-in high availability and disaster recovery support.

In addition, organizations looking to achieve the benefits of secure Function-as-a-Service should consider enterprise key management services that have the following features:

Secure Function-as-a-Service use cases

Enterprise Key Management (EKM) is an integral element for securing sensitive data. When powered on Confidential Computing technology, EKM can help organizations decentralize and execute the most sensitive business logic outside of public clouds in a completely confidential manner. 

Popular use cases demonstrating how organizations are realizing these benefits today include:

Storing credit history in AWS

A large financial firm uploads its customers’ credit history and private data into AWS S3 containers protected by client-side encryption using an enterprise key management service.

Using this approach, it can run confidential credit forecasting logic based on historical trends for each customer. It is assured during this analysis that if something cannot be compromised, it’s the security of this data in any stage – at-rest, in-transit and during runtime.

The steps below give an example of how confidential computing can help protect private financial data:

  1. AWS lambda function reads customers’ encrypted private information and credit record data from AWS S3.
  2. AWS lambda function passes that information in JSON to the enterprise key management service where confidential credit forecasting logic is written in a secure enclave.
  3. The enterprise key management service decrypts the AWS S3 information using the key from the enterprise key management service, runs business logic on it, and passes the encrypted result back to the Lambda function in JSON format.

Storing health records in Google Cloud Platform

A global healthcare organization saves a customer’s SSN in BigQuery encrypted by an enterprise key management service. Before approving the customer’s health record, its fraud detection application needs to compare this SSN with SSNs that may have been compromised recently.

The health organization must gather the list of breached SSNs from a reputable third-party vendor. However, without confidential computing (download the whitepaper), such a computation in the public cloud could be risky.

The steps below show how an enterprise key management service can help the health organization avoid this risk:

  1. The health record fraud detection application running in Google Cloud Platform reads an enterprise key management service encrypted secret from BigQuery and sends the encrypted secret to the secure enclave.
  2. An enterprise key management service decrypts it with the right key, calls out to the third party firm for a list of all breached SSN numbers, runs sensitive business logic and returns the Boolean response.
  3. Based on the response, the health record fraud detection application takes further action.
Executing financial transaction across public clouds

A Fortune 50 bank can use both AWS and Azure to serve customers by running workloads across many regions. Its applications deployed in AWS and Azure talk to each other over TLS.

However, there are certain transactions where the organization needs to transfer customers’ PINs from AWS to Azure. For security, that PIN not only needs to be encrypted with the AES key, but it also needs to be tokenized before it is received by another customer facing application hosted in Azure.

The steps below give an example of how confidential computing can help this bank in this secure transaction:

  1. The AWS application encrypts the PIN by using an enterprise key management service application encryption.
  2. Then it sends the encrypted PIN to the secure enclave where it first decrypts the PIN using the same key and then tokenizes the PIN using the predefined token policy.
  3. The enterprise key management service calls the Azure application and sends the tokenized PIN as a JSON response.

Providing a trusted execution environment for functions is a valuable feature of enterprise key management services that not only offers enterprises flexible key management and comprehensive data protection offerings, but also give them a way to apply on-demand confidentiality into multi-cloud workloads for even the most sensitive business logic.

With enterprise key management services, organizations can be assured that their data and applications are confidential in public clouds and will stay private even if the hardware is compromised.

on-prem as well as cloud, including production databases such MongoDB and SQL and SAP HANA, Microsoft Azure, and Google Cloud (GCP). There was no centralized control and management of sensitive data. Trusted Execution Environment helped execute some of these tasks in a confidential manner within secure enclaves- 

  • Ability to tokenize various data types including HR, Payroll, claims etc. to comply with requirements on SAP S4 HANA 
  • Encryption key management and secure crypto operations  
  • Ability to combine controls like Transparent Database Encryption (TDE) with Tokenization of certain fields.   
  • Additional capabilities like Bring-Your-Own-Key (BYOK) for Azure and Secrets Management. 

Share this post: