|Every industry has its own vocabulary and cybersecurity is no exception. We explore the meaning of Trusted Execution Environments (TEE), containers, Hardware Security Modules (HSM) and more.
Chief Information Security Officers (CISOs) are used to working with technology where you can see progress. As new standards and technologies are developed, software developers release new features, and security solutions evolve, so does the glossary around it
In this article, we break down the definitions of 13 words we use in the digital data protection industry.
Virtual machine & hypervisors
A virtual machine is a virtual environment that functions as a virtual computer system with its own Operating System, CPU, memory, network interface, and storage, created on a physical hardware machine (the host).
An operating system called a Hypervisor “shares/divides” the physical hardware resources, like CPU, memory, and storage, into smaller sets of virtual resources that can be used by the operating system inside each VM.
Put simply, containers are like lightweight virtual machines consisting of an entire runtime environment: an application, plus all its dependencies and libraries needed to run it, bundled into one package.
Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer’s laptop to a test environment, from a staging (test) environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud.
A container runtime (also called container engine) is a piece of software that runs containers on an operating system. They accept user requests and are responsible for running processes.
The container runtime takes responsibility for managing the individual containers running on every compute node in the cluster.
Docker is one of the first open source container runtimes, used for a long time by Kubernetes as its default. Today, runc is the most widely used container runtime, including with ARCA Trusted OS.
Kubernetes is a container-orchestration system that allows you to automatically deploy and manage containerized applications. It runs heterogeneous and isolated applications without having to know any internal details of these applications.
Kubernetes also enables you to run your apps on many compute nodes (e.g. a cluster of ARCA Trusted OS) as if all those nodes were a single, enormous machine.
Kubernetes doesn’t run containers directly; instead, it wraps one or more containers into a higher-level structure called a pod. Any containers in the same pod will share the same resources and local network. Containers can easily communicate with other containers in the same pod as though they were on the same machine while maintaining a degree of isolation from one another.
Data in use
In computing, data exists in three states: in transit, at rest, and in use. In a world where we are constantly storing, consuming, and sharing sensitive data, protecting it in all of its states is more critical than ever. Data is often encrypted while it is at rest (in storage) and protected with a VPN or SSL/TLS technology in transit across a network, but not while in use in memory. Protecting data in the third state – data in use – is the new frontier.
There have been several high-profile memory scraping attacks (e.g. the attack on Target) as well as a range of CPU-side-channel attacks. Further high-profile attacks targeting data in use involving malware injection, such as the Triton attack, and the attack on the Ukraine power grid have highlighted the need for protecting the third state of data.
Hardware Security Module (HSM)
A Hardware Security Module (HSM) manages, processes, and stores cryptographic keys, and performs some cryptographic operations inside a hardened, tamper-resistant physical computing device. Hardware security modules protect transactions, identities, and applications for a wide range of applications. Most HSM do not store pre-existing keys, but rather wrap them using their own master key.
Trusted Computing Base (TCB)
A Trusted Computing Base (TCB) is a set of all hardware, firmware, and/or software components which are trustful and critical to security. It protects the VM from the attacker coming from the CSP (Cloud Service Provider) as well as the attacker coming from the application level, when VM is running and when it is stopped.
If the ARCA Trusted OS VM boots up successfully, a TCB is guaranteed.
Trusted Execution Environment (TEE)
TEEs work as a kind of invisibility cloak for data. Co-processors within a main processor, TEEs are secured via encryption keys. Various forms of authentication ensure that only applications equipped with the proper authentication code can access the information within the TEE.
Even after the application has gained access, the data and code loaded in the TEE remain encrypted thus not readable to anyone and anything outside this TEE, including the cloud provider, virtual machines, malicious system administrator, and operating system.
Key Management Service
Key Management Service (KMS) is used to create and manage cryptographic keys for encrypting or digitally signing your data.
It’s also used to control key usage across various platforms and applications.
A hardware-based cryptographic engine is very useful when it comes to compliance. When using a certified solution to encrypt sensitive data,
you can be confident in your ability to comply with stringent data protection regulations. Especially when you manage keys for different applications and include the entire data encryption lifecycle: at rest, in transit and in use.
In practice, ARCA Trusted OS features a cryptographic service using a certified hardware backend. This backend can either be a HSM (Hardware Security Module) or a software implementation. For critical workloads or applications that leverage cryptographic primitives, an HSM is typically preferred.
Second, ARCA features a cryptographic API that can be easily integrated within your critical workloads and applications.
The cryptographic API includes encryption, signing and access control to prevent API calls connection tapping and unauthorized access to cryptographic material, and provides simplified access to an HSM.
When using the API, you get access to all cryptographic primitives provided by a cryptographic engine.
Containerized applications can access the cryptographic API via a KMS gRPC interface which exists for many programming languages.
Hardening is the process of securing a system in particular by reducing its surface of vulnerability, which varies with the number of functions a system performs. Protection is provided in various layers : at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.
ARCA is a hardened OS featuring full-disk encryption, read-only system images, and secure boot. Only trusted kernels and system images can boot on the ARCA operating system.
Trusted Platform Module (TPM)
Trusted Platform Module (TPM) is a chip for a secure cryptoprocessor, designed to secure hardware through integrated cryptographic keys. It also provides measurement of the system state, and only allows access to it’s content under a certain system state.
Unified Extensible Firmware Interface (UEFI)
The Unified Extensible Firmware Interface (UEFI) is a publicly available specification that defines a software interface between an operating system and a platform firmware that are involved during the startup process. UEFI replaces the legacy BIOS.
Today, much information sits in the cloud. Encryption is key to protecting our in-cloud data, but until now, it has worked only on data “in transit,” or en route from one device or environment to another; or in storage (“at rest”). While data was “in use,” or being processed, it could not be encrypted, or the applications wouldn’t be able to use them.
Confidential computing uses encryption to protect data even while it’s in use or being processed. Rather than encoding the data per se, confidential computing sequesters them in a TEE that is only accessible by the authorized application; not even an administrator with full access on the server running the TEE can access the data.