Intel and Fortanix extended their security partnership at this year’s RSA Conference. The two companies take a hardware-plus-software approach with Fortanix’s cloud-delivered encryption and key management running on top of Intel’s processor-hardened enclaves. And in an interview with SDxCentral surrounded by literal noise from the more than 42,500 attendees, executives from both companies agreed that the vendor landscape is too noisy and needs to be fixed. Silicon-enabled security, they say, is one way to address this.
“RSA, and security in general, is very noisy,” said Ambuj Kumar, co-founder and CEO of cloud security startup Fortanix. “There are literally thousands and thousands of vendors and hundreds of companies getting funded every year. But security vendors have done a disservice to their customers by not clearly communicating what their ROI is or giving a list of threats they can actually protect you from. There’s a lot of snake oil business going on.”
He suggested vendors tell customers here are the 300 security problems you should worry about. If you buy my product, you’ll only have 275 security concerns on your list.
“That level of clarity is missing and it creates a buyer fatigue,” Kumar added. “Security vendors need to talk about what are the things they mitigate and what are the things they don’t mitigate.”
At this point Intel’s Jim Gordon, general manager of security ecosystem strategy and development, chimed in. “I feel sorry for CISOs,” he said. “You read a press release for any of these companies and you’d think they’ve solved it all. They all read the same way. And it’s hard to tell trust from fiction. In any other industry there’s performance metrics that people agree on. But in security it’s much grayer.”
Companies spend more on security every year — Gartner expects the market for security products and services to hit $124 billion this year, an 8.7 percent increase from 2017. But at the same time breaches are getting bigger and more costly.
Gordon said that when he gives security talks he likes to show spending charts for other major challenges like improving fuel efficiency in cars. “You spend more, the problem gets smaller.” He said. “In case after case in macro-issues, that’s the case. Except one — this one here. You spend more and more [on security] and it keeps getting worse. It’s the biggest macro failure in investing ever. Sooner or later we’re going to have to find some breakthrough approaches that actually bend the curve and start bringing it down.”
And perhaps not surprisingly, Intel, he said, believes hardware-assisted security could be one of those things “because we operate below the bad guys.”
On top of that, Fortanix’s secure runtime encryption technology protects from various software-level attacks. “And it’s not magic because we are hardware assisted,” Kumar added.
Intel SGX Card
Here’s a closer look at what both companies announced at the RSA Conference and what the technology actually does.
Intel unveiled its SGX Card, which gives companies’ existing data center severs the security features offered by Intel Software Guard Extensions (SGX). Intel SGX isolates specific application code and data to run in private regions of memory – or enclaves – thus protecting select code and data from disclosure or modification.
While this technology will be available on future multi-socket Intel Xeon Scalable processors, there’s a need for it today. Enter the Intel SGX Card, which can extend application memory protections using Intel SGX in existing data center infrastructure.
“It allows companies with existing data center infrastructure that want to have the benefits of SGX but can’t refresh their infrastructure, it allows them to upgrade their existing infrastructure and security by adding this add-in card,” Gordon said. The card offers some additional benefits such as access to larger, non-enclave memory spaces, and some additional side-channel protections when compartmentalizing sensitive data to a separate processor and associated cache, according to the chipmaker. This is important because Intel has disclosed SGX vulnerabilities that could allow hackers to access data that is supposed to be protected in these secure enclaves.
When asked about these new side-channel protections, an Intel spokesperson jumped in and said that “there are mitigations in place,” and that they would be shared via email. In that email, the spokesperson wrote that “in 2019, we’ll continue to integrate hardware-based mitigations into hardware” and referred me to this page for more details.
Fortanix Runtime Encryption
Fortanix developed cloud-based security technology it calls Runtime Encryption that runs on top of Intel SGX hardware. It provides both key management and hardware security model (HSM) capabilities via software. It also ensures untrusted operating systems, root users, and cloud providers don’t have access to the encrypted data. Equinix, IBM Cloud, and Alibaba Cloud use Fortanix’s security software running on Intel SGX.
The startup launched in July 2017, and has been getting closer to Intel ever since.
In January, Fortanix closed a $23 million Series B led by Intel Capital. At the time, Kumar said the funding round strengthened Foratnix’s partnership and work with Intel.
At the RSA Conference, Fortanix launched its Enclave Development Platform (EDP), which is an open-source software development kit (SDK) based on the Rust programming languages. It uses security properties native to Rust and allows developers to write Intel SGX applications — essentially a DevSecOps approach to writing code.
“If your goal is to create something more secure, you write it in Rust so it is secure from the inside, and then you run it in SGX so it is secure from the outside,” Kumar said.
The Fortanix EDP is also integrated with the Rust compiler, which allows developers to use new features including non-lexical lifetimes, futures and async/await syntax, and improved compile-time speeds. Old code will continue to work after the compiler is upgraded, and the open source licensing of the Fortanix EDP allows developers to build, sell, or distribute the applications they create.