Skip to content

AWS releases Nitro Enclaves, making it easier to process highly sensitive data

According to Amazon, Nitro Enclaves will help customers reduce attack surfaces for their applications by providing a highly isolated and hardened environment for data processing.


Image: krblokhin, Getty Images

Must-read cloud

This week, Amazon announced AWS Nitro Enclaves, a new feature of EC2 that will allow customers to securely process highly sensitive data and protect it when it must be unencrypted at the point of use by providing an isolated environment for data processing. In a statement, Amazon Web Services said it was making AWS Nitro Enclaves generally available as a new capability of EC2 that consists of virtual machines with no persistent storage, no administrator or operator access, and no external networking.

SEE: Cloud data storage policy (TechRepublic Premium)

“Each Enclave is a virtual machine created using the same Nitro Hypervisor technology that provides CPU and memory isolation for Amazon EC2 instances, but with no persistent storage, no administrator or operator access, and no external networking. This isolation means that applications running in an Enclave remain inaccessible to other users and systems, even to users within the customer’s organization,” the company statement said.

“With this isolation, the AWS Nitro Enclave owner can start and stop, or assign resources to an Enclave, but even the owner cannot see what is being processed inside of AWS Nitro Enclaves. AWS also announced the launch of AWS Certificate Manager for Nitro Enclaves, a new Enclave application that makes it easy for customers to protect and manage Secure Sockets Layer/Transport Layer Security certificates for their web servers running on Amazon EC2.”

SEE: Top cloud providers in 2020: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players (TechRepublic)

The company noted in a press release that many of its customers in dozens of industries have pushed for ways to keep sensitive data better protected, particularly those working with personally identifiable information, financial data, healthcare records, and intellectual property.

With AWS Nitro Enclaves, customers are able to keep their data safe using access controls and encryption while it is in transit or at rest. 

“Customers often tell us that powerful built-in protections like the locked-down security model of the Nitro System are among the primary reasons why they trust AWS with their workloads,” said David Brown, vice president of Amazon EC2 at AWS. “Nitro Enclaves builds on those same security and isolation models that have separated AWS for so many customers, delivering a more efficient method for securely processing highly sensitive data. This means customers can build and innovate faster in a way that still meets the highest bar for security.”

Customers can protect their data with access controls and by using encryption while it is at rest and in transit, but it becomes much more difficult to keep safe when it is being used. 

The best example of this is in healthcare, where certain digital recommendation algorithms and systems in hospitals need to access unencrypted patient data in order to work. Encryptions would not work in instances like this.

“To protect unencrypted data during processing, customers often set up separate instance clusters for secure data configured with limited connectivity, restricted user access, and other strict isolations. However, the possibility of human error in the setup and administration of such complex custom systems can lead to availability issues or security oversights, and managing these extra instances is an operational burden, an organizational bottleneck, and expensive,” the company statement said. 

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)

“With AWS Nitro Enclaves, customers simply select an instance type and decide how much CPU and memory they want to designate to the Enclave. AWS Nitro Enclaves provides the flexibility to partition varying combinations of CPU cores and memory, enabling customers to match resources to the size and performance demands of their workloads.” 

Enclave applications can be developed using the open source AWS Nitro Enclaves SDK set of libraries, and it also can integrate with AWS Key Management Service. This lets customers generate data keys and decrypt them inside the Enclave, according to the statement, which adds that customers can isolate SSL/TLS certificates within an Enclave.

This will make them usable by web servers while also protecting them from access by other users or applications in the customer’s environment, the company explained. 

Jeff Barr, chief evangelist for AWS, wrote in a blog post that customers can start to create and use enclaves today on Intel and AMD-based processors in the US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (São Paulo) regions today at no extra charge, with more regions and support for Graviton-based processors coming soon. 

He added that customers will pay the usual rates for the EC2 instance, and for any calls to KMS.

Shane Curran, CEO of encryption startup Evervault, said, “Our mission is to encrypt the internet. Nitro Enclaves provides the perfect platform to make this happen, because it’s the best way to protect data in use.”

CastLabs CEO Michael Stattmann added that his globally operating cloud service provider handles the most valuable data and encryption keys and said the company is always trying to achieve the highest levels of data security, isolation, and trust. 

“Working with an advanced security technology usually increases overhead, but with Nitro Enclaves, achieving a confidential computing implementation is easy to develop and deploy, using much more familiar technologies.”

Also see