Posted by Vishal Gupta on July 10th, 2020
Organizations are embracing the power of Function-as-a-Service (FaaS). FaaS can be viewed as a very positive and beneficial result coming from years of data successfully migrating and operating in public clouds. AWS Lambda, Azure Functions and Google Cloud are today’s market leading platforms for enterprises to realize the power and benefits of FaaS.
FaaS likely won’t replace all an enterprise’s IT functions in public clouds but leveraging FaaS for most of the stateless business operations can help organizations realize the economies of scale and ROI from their public cloud deployments. But with FaaS emerging on the scene, organizations may wonder how best to protect their cloud data and orchestrate security in public clouds.
Enterprise key management services powered by secure enclaves are an effective approach to not only securely executing programs and business logic in a FaaS environment, but also enabling the entire execution to be protected and achieve the secure attributes of confidential computing. Secure enclaves enable enterprise key management services to secure data not only during runtime, but also to protect it if the hardware is ever compromised. This enables organizations to leverage the benefits of public clouds, but not make their security in the cloud public.
Enterprise key management services as a rule should be highly scalable, have built-in high availability and disaster recovery support. In addition, organizations looking to achieve the benefits of secure Function-as-a-Service should consider enterprise key management services that have the following features:
Enterprise key management services are powerful technologies for confidential computing that can help organizations decentralize and execute their most sensitive business logic outside of public clouds in a completely confidential manner. Popular use cases demonstrating how organizations are realizing these benefits today include:
A large financial firm uploads its customers’ credit history and private data into AWS S3 containers protected by client-side encryption using an enterprise key management service. Using this approach, it can run confidential credit forecasting logic based on historical trends for each customer. It is assured during this analysis that if something cannot be compromised, it’s the security of this data in any stage – at-rest, in-transit and during runtime. The steps below give an example of how confidential computing can help protect private financial data:
A global healthcare organization saves a customer’s SSN in BigQuery encrypted by an enterprise key management service. Before approving the customer’s health record, its fraud detection application needs to compare this SSN with SSNs that may have been compromised recently. The health organization must gather the list of breached SSNs from a reputable third-party vendor. However, without confidential computing, such a computation in the public cloud could be risky. The steps below show how an enterprise key management service can help the health organization avoid this risk:
A Fortune 50 bank can use both AWS and Azure to serve customers by running workloads across many regions. Its applications deployed in AWS and Azure talk to each other over TLS. However, there are certain transactions where the organization needs to transfer customers’ PINs from AWS to Azure. For security, that PIN not only needs to be encrypted with the AES key, but it also needs to be tokenized before it is received by another customer facing application hosted in Azure. The steps below give an example of how confidential computing can help this bank in this secure transaction:
Providing a trusted execution environment for functions is a valuable feature of enterprise key management services that not only offers enterprises flexible key management and comprehensive data protection offerings, but also give them a way to apply on-demand confidentiality into multi-cloud workloads for even the most sensitive business logic. With enterprise key management services, organizations can be assured that their data and applications are confidential in public clouds and will stay private even if the hardware is compromised.
Get our blog updates in your inbox: