Juan F. Conde
Wonkish: Trusted Execution Environments.
Updated: Sep 2, 2022
Expanding pressures to secure your most sensitive data while enabling it for legitimate use requires investing in a new set of technologies that protects your data within Trusted Execution Environments (TEE).
TEEs are physically isolated in a secure area - and that guarantees that processing and data loaded into it will be protected.
How can the use of a TEE assist you in securing your most sensitive data?
Utilize the TEE for your distributed security kernel architecture and perform your sensitive cryptographic operations within that environment. The security kernel should be small and simple so as to promote ease of review for accuracy and to present a minimal attack surface.
Operations such as encryption, digital signatures, and hashing involve secrets. Protecting those secrets is critical to preserving the fidelity of these cryptographic operations, and TEEs can help by providing features such as extra isolation from the host environment.
However, simply protecting the execution of the cryptographic algorithms alone is not enough. Applications that need to leverage the secured algorithms must be able to do so with assurances that the algorithms are what they purport to be without tampering or being vulnerable to eavesdropping. The fundamental property that provides this assurance is TEE Remote Attestation.
Attestation is a two-part process: certification of an image built from secure continuous integration driven process, and runtime verification once it has been deployed into an environment.
The glue that binds these two operations together is a “measurement” that can be obtained and correlated reliably between the image that was produced and the service that is actually running the image. Such a measurement is cryptographically tied to the image and can be computed within the TEE deterministically both at build-time and run-time.
To learn more about TEEs & how Manetu can help, request a demo.