# Secure Enclaves: The Powerful Way to Make Data Secure by Default

[Download PDF](https://cdn.prod.website-files.com/63f08d2744acc65d1d4d6d85/6405c9d5d2eb32d4786d1891_case-study-what-is-a-secure-enclave.pdf)

## Executive Summary

A major threat to enterprise IT already exists inside your organization: insiders. While most enterprises already take steps to protect systems from end users, credentialed insiders with unfettered access are even more dangerous, and this is not limited to employees. Third parties, including employees at cloud providers, are often to blame for insider breaches. Nation-states and other bad actors, can also present credentials that make them look like insiders.

Current methods and technologies to prevent IT insider threats have had severe limitations. Now there’s a new approach being implemented by nearly every major hardware and cloud vendor. Secure enclaves provide a comprehensive, more secure solution that protects data, applications, and storage from insiders and third parties—on premises, and in both private and public clouds.

## What is a Secure Enclave?

A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD.

## Insiders: The Threat No One Wants to Talk About

Until now, most cybersecurity efforts have focused on controlling network access by outsiders or end users. The greatest harm, however, is likely to come from insiders—system administrators, network architects, system analysts, developers, and site reliability engineers—who often have authorized access to data, networks, and applications. They may misuse or abuse their access to steal or damage sensitive data. Breaches may also occur unintentionally due to lax security protocols. It’s estimated that [43% of all breaches are committed by insiders](https://www.infosecurity-magazine.com/news/insider-threats-reponsible-for-43/)—both accidental and intentional.

An infamous example of intentional insider breaches is the case of Edward Snowden, a Booz Allen contractor working with the NSA. In 2013, Snowden stole nearly 2 million intelligence files in what is considered one of the biggest thefts of US secrets in history. As a system administrator and architect, Snowden had unlimited access to NSA systems, and he was also [able to access files from other sites, including those of other countries](https://www.bloomberg.com/news/articles/2014-01-09/pentagon-finds-snowden-took-1-7-million-files-rogers-says).

The move to cloud-based computing compels enterprises to address the risk of insider threats even with third-party access. The costs of these threats are enormous, resulting in financial losses, regulatory penalties, and reputational damage, exemplified by breaches at companies like Target and Marriott.

## Current Efforts Don’t Work

Until now, cybersecurity solutions have focused on **detecting** hacking and incursions. While detection technologies continue to improve, the problem is detection occurs after incidents. Breaches may not be revealed until months or years later, by which time damage may very well have occurred.

What's needed is an approach that prioritizes prevention over detection, thereby ensuring that security mechanisms are in place before threats can manifest.

## Recent Options Aren’t Enterprise-Ready

New security options have become available, but they are often point solutions that lack comprehensive protection. These solutions may protect data at rest or in transit, but do not adequately address data in use, which remains a significant vulnerability.

## Prevention Not Detection

In today’s environment, enterprises can never be sure that all threats have been detected and handled in a timely manner. The focus should be on maintaining secure resources and networks rather than merely chasing past malicious acts.  Protecting memory and networks is crucial in addition to traditional data methods, ensuring comprehensive security that includes operations running in both private and public clouds.

## Secure Enclaves Deliver High-Level Hardware Security

Secure enclaves, also known as Trusted Execution Environments (TEE), are critical for protecting data in use. They function by keeping sensitive information isolated and secure in memory, preventing unauthorized access, including by system administrators. Secure enclaves reduce the complexity of the security stack and lead to cost savings across operations.

## A New Level of Enterprise Security

Secure enclaves provide a higher level of security for operations by ensuring IT insiders are blocked from taking malicious actions but still able to perform their jobs seamlessly. They also protect against Zero-Day exploits, enabling data segregation even in environments potentially compromised by third parties.

## Secure Enclaves Prevent Critical Threats

CISOs now face multiple incidents, and secure enclaves offer robust solutions that can prevent various threats effectively.

## Obstacles to Adoption

Despite their advantages, secure enclaves have historically been complex and costly to implement. However, new solutions are emerging to streamline this integration, making secure enclaves more accessible without requiring extensive rewrites of existing applications.

## Next Steps: Prepare Now

Organizations are advised to prepare for the adoption of secure enclaves, addressing how they protect sensitive applications in public cloud environments and evaluating their cloud provider's security measures. Questions regarding third-party exposures and application modifications for secure enclave compatibility should lead the discussion on adopting these technologies.

## About Anjuna

Anjuna Security specializes in making the public cloud secure for businesses, leveraging advanced hardware-based secure computing technologies to establish a strong perimeter against insider threats.