Secure enclave protection for AI and ML

You can’t swing a virtual bat without hitting someone touting the value of artificial intelligence (AI) and machine learning (ML) technologies to transform big data and human expertise.

A new generation of businesses is promising to accelerate and automate decision making. Most countries, including the United States, view AI technology as critical to retaining or establishing global business leadership. The promise and value of AI and ML rank equal or higher to other intellectual property or corporate secrets within an organization.

Despite this tremendous value, AI/ML assets can’t be protected – especially when in use. This creates intellectual property risks that can give pause to both entrepreneurs and investors. The result is a growing sense of urgency to create better controls to protect the raw data, training algorithms, run-time inference engines and results generated – both from competitors and from malicious actors.

The good news is that recent hardware advances built into the latest advanced microprocessors and incorporated into high-end servers can be utilized to protect AI/ML assets, data and other sensitive applications – even during runtime. Harnessing secure enclaves to close the loop on AI/ML vulnerabilities resolves these security concerns and enables AI/ML to be deployed even more widely, effectively, and safely.

What is a secure enclave?

A secure enclave is a private region of memory whose contents are protected by hardware-grade encryption and hardware isolation techniques. Data in an enclave cannot be read or modified by any entity outside the enclave itself, even if the host is physically compromised. From a business perspective, enclaves enable owners to tightly control how, when, and where data (including software in use) is created, used, and retired.

Secure enclaves leverage new hardware-level security capabilities present in modern CPUs and cloud computing platforms, such as Intel, AMD, AWS, Microsoft Azure, and others. Additional software can leverage these raw features to both create and enclave in which applications, which often require enclaved storage and communications, can operate unmodified.

What do secure enclaves protect?

More things than you might think. AI and ML both leverage and create a number of data sets, each of which have different security requirements.

First is the raw data that ML algorithms consume in order to learn. This often includes such highly sensitive data as personal medical or financial records with immense potential for industry. Ideally, this kind of data would be leveraged without the potential of any kind of exposure. In today’s computing environment, that’s practically impossible, because using, moving, or storing data (even when encrypted) implicitly exposes it.

Secure enclaves eliminate this exposure, while data is in use, and while it’s transported and stored as well. This facilitates the ability to use multiple data sets from multiple parties to train the AI engine with zero risk of exposure. Imagine the benefits this could bring to health care or insurance providers and even to government. It enables greater access to data for analysis while virtually guaranteeing data privacy. That means smarter AI.

Proprietary training engines used to process this raw data also need protection. In many cases, the mountain of data used to build experience can’t be moved; the learning engine has to be moved to the distant data mountain. Wherever that software is stored or used exposes it to theft, potentially indefinitely, when it runs on untrusted hardware.

But running and storing machine learning algorithms within the confines of a secure enclave assures that proprietary learning techniques are kept in the hands of their owners, even when those algorithms run in insecure environments. Simple policy and controls can dictate where, how, and when the software can be used down to specific, uniquely identified CPUs.

Similarly, the resulting proprietary interference/expert engine, which makes decisions based on new (often real-time) data must also be protected. The expertise and experience infused is core to the value of the business that created it. Enclaves can play a key role in not just protecting against software exposure and theft, but in controlling licensing and distribution as well. The same policy controls can potentially limit operations, such as to specific CPUs, clouds, and time periods, which protects the seller’s investment.

Interestingly, these same enclave protections secure customer data as well, because they assure that data processed by an enclaved application isn’t accessible by anyone anywhere.

Finally, there are the conclusions that the software generates. Data generated within an enclave is secured and tightly controlled by default. Policy controls must explicitly be implemented to allow exposure, if exposure is ever required.

Greater security means greater opportunity

Secure enclave protection doesn’t just obviate the data and IP risks associated with developing and protecting commercial AI/ML capabilities. It also creates opportunities to build new and more powerful capabilities from broader data sets. Secure enclaves offer a solid path for businesses to significantly reduce the risk associated with these potentially huge new opportunities.