THALES BLOG

Sensitive data in the cloud: How can companies leverage the benefits without risking security?

September 3, 2024

Thales Thales | Cloud Protection & Licensing Solutions More About This Author >

Contributors:
Michael Hutchinson - Principal Engineer, Innovation and Strategy, Thales
Moritz Eckert - Chief Architect, Edgeless Systems

In an era of increasingly sophisticated data breaches and cyber threats, companies are rightfully concerned about moving sensitive data to the cloud. The benefits of cloud infrastructure, such as scalability, cost-efficiency, and accessibility, are clear. But how can organizations enjoy these advantages without compromising on security? The answer lies in adopting Edgeless Systems' confidential-computing software Constellation, with added data protection from Thales' CipherTrust Data Security Platform (CDSP).

What is confidential computing?

Confidential computing is a breakthrough technology that addresses one of the most pressing concerns in cloud security: Protecting data while it is being processed. Traditional encryption methods secure data at rest and in transit, but data must be decrypted for processing, exposing it to potential threats. Confidential computing solves this by allowing data to be processed within a Trusted Execution Environment (TEE), ensuring it remains always protected. Unlike other privacy-enhancing technologies, confidential computing has a negligible impact on performance, making it suitable for enterprise applications. Additionally, confidential computing features are already available with standard server CPUs from various chipset manufacturers.

Constellation, the first always-encrypted Kubernetes

One of the leading solutions in this space is Constellation by Edgeless Systems, an open-source, CNCF-certified Kubernetes distribution that protects entire cluster from the underlying cloud infrastructure. Constellation leverages Confidential VMs (CVMs) to encrypt data-in-use, providing unparalleled levels of security. It goes beyond protecting single services with a CVM, as offered by CSPs, instead providing a holistic approach that includes confidential networking with attested TLS (aTLS), transparently encrypted persistent storage, as well as whole-cluster attestation. For more technical details, please refer to the Constellation documentation.

Secure Data Protection with CipherTrust

Poor data protection practices can result in vulnerabilities and data breaches. Therefore, it's crucial to have a strong and efficient system in place. Integrating a third-party Data Protection key management system (KMS) with a Kubernetes environment adds an extra layer of defense by providing customer-controlled Data Security by abstracting the encryption keys outside the public cloud environment where the data is hosted and computed.

Thales' CipherTrust Data Security Platform (CDSP) delivers enterprise-ready security across multiple cloud environments, allowing organizations to centrally manage their own Data Protection and encryption keys.

By integrating CDSP with Constellation, companies can enhance their security posture, improving their overall data security by leveraging best practices of key management, such as key rotation (periodically changing encryption keys to minimize risks) and key deprecation (properly retiring old or unused keys to prevent potential misuse). The integration supports day-2 operations, which refer to the ongoing management and optimization tasks required after the initial deployment of a system or product. This includes monitoring, updating, and maintaining the key management system to ensure continuous security and compliance with evolving standards and regulations.

Achieving an all-around secure cloud posture

By working with Edgeless Systems and using CipherTrust, customers can ensure that their data is protected also at runtime from all parties, even in the cloud, by leveraging confidential computing technology through Constellation, and keeping their keys secure with CipherTrust. This enables customers to fully embrace the benefits of the cloud with confidence that their data is secure.