|Constellation - The First Confidential Kubernetes|
|Written by Nikos Vaggalis|
|Tuesday, 13 September 2022|
Edgeless Systems secure the cloud's workloads by releasing the first runtime encrypted Kubernetes, able to run on a multitude of cloud providers.
Edgeless Systems is a pioneer in the world of Confidential Computing. Last year in "EdgelessDB - Taking Database Security To The Next Level", I covered its security-oriented database which is 100% compatible with MySQL and enhanced with confidential computing capabilities based on secure enclaves on Intel SGX chips. There was a lot of terminology to assimilate in that article and as a refresher:
An enclave in simple terms, is a hardware sandbox that provides runtime protection of the data it encloses. EdgelessDB uses it in order to execute trusted and secure code on untrusted environments such as cloud platforms and already there's an integration of EdgelessDB on the Azure platform. An enclave itself is, in fact, just an instruction in the CPU architecture provided by modern CPUs.
Confidential computing is a concept that takes this one step further. It's an umbrella term that encapsulates protecting data at rest, data in use and data in transit, including preventing unauthorized access and tampering at runtime. Also it offers verifiability, in that the user can be certain that he talks to the appropriate back end and is not being misled as well as ensuring that the backend is running the code it is supposed to run.,
EdgelessDB guarantees these properties even when the database administrator is malicious, when an attacker has compromised the operating system or the hypervisor, when there's privileged attackers able to access a database’s memory and when the database runs in an untrusted host, such as in the cloud. It does so by placing sensitive data (tables, indexes and other metadata) in enclaves protected by trusted hardware, in this case Intel SGX. As such the whole database runs entirely inside an enclave and the data that's stored in EdgelessDB never touches the outside memory or disk in plain text.
Now it's time for Kubernetes to get such an upgrade. Constellation applies the concept of Confidential computing to Kubernetes clusters by allowing them to become verifiably shielded from the underlying cloud infrastructure and be encrypted end-to-end. Its ultimate goal is to turn the public cloud into a safest place for sensitive data and for anyone. And anyone is really meant since Constellation is open source thus free and available on Github.
As in the case of EdgelessDB, now Kubernetes users can secure all their data - in rest, in transit and in use, preventing any access from the underlying infrastructure. That means that not even privileged cloud admins, datacenter employees, or APTs (advanced persistent threats) in the infrastructure can access data inside Constellation at any time.You can thus move your sensitive workloads to the cloud and given it's open source too you get the option to lower the costs in order to offer better quality and security to your SaaS customers.
Another boon is that, for the time being, Constellation works on Microsoft Azure and Google Cloud Platform, but support for OpenStack and other CSPs like AWS is planned very soon, something that avoids vendor lock-in.
Finally Constellation can be integrated with Sigstore as a verification engine with which you can sign your infrastructure components to secure the supply chain. I've written extensively about Sigstore, most recently in Protect The Software Supply Chain With Gitsign.
To sum up, Constellation and EdgelessDB lower the barrier to security, providing us all with a gateway to the world of confidential computing - the future of cloud and data center infrastructure.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Tuesday, 13 September 2022 )|