Using confidential computing to protect Function-as-a-Service data

Organizations are embracing the power of Function-as-a-Service (FaaS). FaaS can be viewed as a very positive and beneficial result coming from years of data successfully migrating and operating in public clouds. AWS Lambda, Azure Functions and Google Cloud are today’s market leading platforms for enterprises to realize the power and benefits of FaaS.

Function-as-a-Service

FaaS likely won’t replace all an enterprise’s IT functions in public clouds but leveraging FaaS for most of the stateless business operations can help organizations realize the economies of scale and ROI from their public cloud deployments. But with FaaS emerging on the scene, organizations may wonder how best to protect their cloud data and orchestrate security in public clouds.

Enterprise key management services powered by secure enclaves are an effective approach to not only securely executing programs and business logic in a FaaS environment, but also enabling the entire execution to be protected and achieve the secure attributes of confidential computing. Secure enclaves enable enterprise key management services to secure data not only during runtime, but also to protect it if the hardware is ever compromised. This enables organizations to leverage the benefits of public clouds, but not make their security in the cloud public.

Enterprise key management services as a rule should be highly scalable, have built-in high availability and disaster recovery support. In addition, organizations looking to achieve the benefits of secure Function-as-a-Service should consider enterprise key management services that have the following features:

  • Enterprise key management and secrets management
  • Application encryption, tokenization and data masking
  • Multi-tenancy
  • Hardware security module (HSM) functionality with cloud-like scalability
  • FIPS 140-2 Level 3 certification

Secure Function-as-a-Service use cases

Enterprise key management services are powerful technologies for confidential computing that can help organizations decentralize and execute their most sensitive business logic outside of public clouds in a completely confidential manner. Popular use cases demonstrating how organizations are realizing these benefits today include:

Storing credit history in AWS

A large financial firm uploads its customers’ credit history and private data into AWS S3 containers protected by client-side encryption using an enterprise key management service. Using this approach, it can run confidential credit forecasting logic based on historical trends for each customer. It is assured during this analysis that if something cannot be compromised, it’s the security of this data in any stage – at-rest, in-transit and during runtime. The steps below give an example of how confidential computing can help protect private financial data:

1. AWS lambda function reads customers’ encrypted private information and credit record data from AWS S3.
2. AWS lambda function passes that information in JSON to the enterprise key management service where confidential credit forecasting logic is written in a secure enclave.
3. The enterprise key management service decrypts the AWS S3 information using the key from the enterprise key management service, runs business logic on it, and passes the encrypted result back to the Lambda function in JSON format.

Storing health records in Google Cloud Platform

A global healthcare organization saves a customer’s SSN in BigQuery encrypted by an enterprise key management service. Before approving the customer’s health record, its fraud detection application needs to compare this SSN with SSNs that may have been compromised recently. The health organization must gather the list of breached SSNs from a reputable third-party vendor. However, without confidential computing, such a computation in the public cloud could be risky. The steps below show how an enterprise key management service can help the health organization avoid this risk:

1. The health record fraud detection application running in Google Cloud Platform reads an enterprise key management service encrypted secret from BigQuery and sends the encrypted secret to the secure enclave.
2. An enterprise key management service decrypts it with the right key, calls out to the third party firm for a list of all breached SSN numbers, runs sensitive business logic and returns the Boolean response.
3. Based on the response, the health record fraud detection application takes further action.

Executing financial transaction across public clouds

A Fortune 50 bank can use both AWS and Azure to serve customers by running workloads across many regions. Its applications deployed in AWS and Azure talk to each other over TLS. However, there are certain transactions where the organization needs to transfer customers’ PINs from AWS to Azure. For security, that PIN not only needs to be encrypted with the AES key, but it also needs to be tokenized before it is received by another customer facing application hosted in Azure. The steps below give an example of how confidential computing can help this bank in this secure transaction:

1. The AWS application encrypts the PIN by using an enterprise key management service application encryption.
2. Then it sends the encrypted PIN to the secure enclave where it first decrypts the PIN using the same key and then tokenizes the PIN using the predefined token policy.
3. The enterprise key management service calls the Azure application and sends the tokenized PIN as a JSON response.

Providing a trusted execution environment for functions is a valuable feature of enterprise key management services that not only offers enterprises flexible key management and comprehensive data protection offerings, but also give them a way to apply on-demand confidentiality into multi-cloud workloads for even the most sensitive business logic. With enterprise key management services, organizations can be assured that their data and applications are confidential in public clouds and will stay private even if the hardware is compromised.

Don't miss