Civo, Intel stuff Kubernetes inside a secure enclave
All part of the cloud provider's Confidential Computing push
Cloud slinger Civo has hooked up with Intel to enable Kubernetes to operate in a secure enclave using Intel's Software Guard Extensions (SGX) and intends to make this available to its public cloud customers.
Civo today released an Alpha version of its Kubernetes system operating in a secure enclave, which will form part of its Confidential Computing service built on a hardware-based security solution intended to protect customer data while it is in use.
This was demonstrated at Civo Navigate, the company's first US tech conference in Tampa, Florida.
Civo, which focuses exclusively on services powered by Kubernetes (actually the lightweight K3S distribution), will make the service available on both its public cloud and edge computing options, with users also able to purchase entire racks of servers secured by Intel SGX and deploy them into their own environment.
SGX is Intel's technology for securing highly sensitive data and the code that processes it. The code is placed into an area of memory that is off limits to everything else, including the operating system or hypervisor, and sensitive data is only unencrypted for processing once inside the enclave.
The idea is that SGX can prevent attacks that target sensitive data while it is unencrypted in memory, rather than when it is securely encrypted on storage somewhere.
However, the technology has been plagued by a number of vulnerabilities since its introduction that might have been exploited to expose enclave data such as this one or this one, causing Intel to issue updates to mitigate them.
It appears that Civo intends to allow customers to run entire workloads with Kubernetes inside secure enclaves under its Confidential Computing service. The company told The Reg that SGX is only being used to secure customer application data as of today, but that the Kubernetes control plane is also now secured by an enclave.
Civo also confirmed to us it was looking to use independent attestation to continuously and automatically ensure that the K8s control plane is secure and has not been tampered with.
This platform was made possible by Intel's 4th Gen Xeon Scalable Processors because these feature increased SGX enclave capacity over previous generations, allowing for the creation of more enclaves and the ability to move more services into individual enclaves.
Once in the enclave, the Kubernetes API process was verified at startup and remained unmodified and validated during runtime. In addition to this, the data in the enclave was encrypted and unable to be accessed by anything else during tests, according to Civo.
The company told us it this Confidential Computing service taps into meet a growing need to make workloads operating under Kubernetes more secure. Civo's own research handily found that 53 percent of companies are concerned about the security of Kubernetes.
- MacStadium brings macOS instances orchestrated by Kubernetes to AWS
- Cloud, datacenter vendors muscle in on traditional telco territory at MWC
- Intel patches up SGX best it can after another load of security holes found
- Akamai to expand Linode into a cloud so good you'll want your data to leave it
"We're always looking to push the boundaries with concepts not available from other cloud providers, and an area we're seeing increased demand is for improved Kubernetes security," CEO Mark Boost said in a statement.
"We want our customers to have total confidence that only their authorized users, and no one else, will have full and unencrypted visibility of their data," he added.
The capability opens the door to a host of potential use cases across many industries, from fields like healthcare and finance that require controlled and privileged access to highly sensitive data, to supporting global firms and governments in protecting confidential or classified data, Boost claimed.
Paul O'Neill, Senior Director for Strategic Business Development in Intel's Confidential Computing group, said: "The Confidential Computing demonstration at Civo Navigate was an important showcase for users of what is possible with Confidential Computing, delivering ultra-high performance Kubernetes using Intel SGX to help ensure sensitive data and intellectual property is protected."
IDC Europe senior research director Andrew Buss told us that anything that can help improve the security and isolation of workloads is only to be applauded.
"The hyperscale cloud players have been offering Confidential Computing services over the past several years, mainly to large enterprise customers, so it's good to see this kind of thing being rolled by smaller providers to everyone else," he said.
However, Buss added that to gain wider adoption, there needs to be better standardization.
"You have Intel's SGX and AMD's SEV, which differ in the way they operate, but the platform vendors need come up with open APIs to access these before they will be accessible across all forms of digital enterprise," he said.
Civo said it is looking to move this so far unnamed service into public beta in the coming months, with a full launch expected later this year. ®