How will Intel’s “Ice Lake” redefine the scope of data security?
On 6 April 2021, the data security world took a giant leap forward with the launch by Intel® of its 3rd Generation Intel® Xeon® Scalable Processors — code-named Ice Lake — for use in the next generation of server platforms. As expected, the new processors can handle a range of workloads across networks, cloud, and edge. It offers flexible architecture for a wide-range of applications and built-in hardware acceleration that delivers improved capabilities when executing more complex and diversified workloads.
Of more direct interest, however, Ice Lake is a processor built for security today and for the new demands of confidential computing. So, what are the principal benefits of the new processor technology? To summarize:
Start with Scalable Performance
Security workloads demand high performance. As a foundation, 3rd Gen. Intel Xeon Scalable Processors utilize 10nm process technology which can deliver up to 40 cores per processor. This new platform technology yields a 2.65 times performance improvement over previous Intel® Xeon® processors. With Ice Lake, enterprises can run more VMs and applications with a reduced infrastructure footprint and expanded application resource capacity. Ice Lake increases per-server performance by at least 40% to 60%, depending upon the processor SKU, and storage density is increased by six times over predecessor hardware.
Accelerate Data Security
Some of the new security capabilities delivered by the new processor family are the availability of confidential computing across the range with Intel® Software Guard Extensions (Intel® SGX). The ability to deploy confidential computing using any of the new Ice Lake processors is complemented by additional features including Intel® Total Memory Encryption (Intel® TME), Intel® Platform Resilience (Intel® PFR), and integrated cryptographic accelerators.
But, perhaps, the most concrete difference between Ice Lake and previous platforms is the amount of protected memory now available to Intel SGX applications. Whereas previous Intel Xeon processors have been limited to a maximum of 256MB of Enclave Page Cache (EPC) memory, the new 3rd Gen. Intel Xeon Scalable Processors can support from 8GB to 1TB of isolated EPC, dependent upon the relevant product SKU. Ice Lake allows allocation of protected memory for Intel SGX applications that is orders of magnitude greater than developers have previously been able to deploy. Not only does Ice Lake provide significant performance benefits to application developers, it is also the first version of Intel’s high-end datacenter CPU lineup to support Intel® SGX across all SKUs — making confidential computing a ubiquitous feature of the platform.
How does this help data security?
The launch of 3rd Gen. Intel® Xeon® Scalable Processors is a game-changer for data security as Intel now offers the capability to secure your data and applications without compromising on performance. Expansion of the available EPC memory region also provides the ability to secure very large datasets and application workloads using Intel® SGX within a single enclave. Encapsulation of entire workloads using Intel® SGX, without loss of performance, offers developers scope to deploy new products and services using confidential computing that have been impractical until now.
Confidential Computing with Intel® SGX
Within an application pipeline, data exists in one of three states: data that is stored “at rest”, data that is traversing across the network “in transit”, and data that is being processed by the CPU “in use”. Even if you encrypt data at rest and in transit across the network, the data becomes vulnerable to unauthorized access and tampering when it is decrypted at runtime. Protecting data in use is, therefore, critical to the provision of complete end-to-end data security. Confidential computing protects data and applications by running them in secure enclaves that isolate the data and code to prevent unauthorized access, even when the compute infrastructure is compromised. Intel® SGX technology represents the leading implementation of Confidential Computing and offers the optimal Trusted Computing Base (TCB) for users by limiting the trusted system components to the enclave memory and the deployed application. Intel® SGX allows organizations to isolate their software and data from the underlying infrastructure by means of hardware-based encryption that is linked to the identity of the CPU. Organizations can now run sensitive applications and data with confidence on untrusted infrastructure, including public clouds and enabled on-premises hardware. This gives organizations greater control over the security and privacy of applications and data inside and outside of their established security perimeter.
Scale up your Confidential Computing with Ice Lake
Earlier versions of Intel processors like Coffee Lake and Cascade Lake were confined to a single socket, low core number processors, with limited amounts of RAM and a ceiling of 256MB for allocated EPC memory. These resource constraints have limited the practical implementation of various workloads where support for Intel® SGX has been offered. With improved performance and larger enclave sizes, the new Ice Lake platform opens new avenues for secure data processing that can meet a broader spectrum of Confidential Computing use cases that involve protecting data in use at a massive scale.
Intel® SGX with Coffee Lake/Cascade Lake Intel® SGX with Ice Lake
Single socket processors
Small enclaves, limited to 256MB EPC
Large enclaves with up to 1TB EPC
Suitable only for smaller applications
Scalable for larger in-memory datasets
Not compatible for datacenter-grade servers
Supports datacenter servers
3rd Gen. Intel® Xeon® Scalable Processors with Intel® SGX technology will enable organizations to securely process more data at an unparalleled speed without worrying about the risk posed by potential attacks on data in use. It has now become easier for organizations to use Confidential Computing technology to protect large volumes of data in memory and to use it for privacy-preserving analytics that can help prevent fraud in financial services, detect diseases and develop new cures in the healthcare industry, and secure intellectual property across a wide range of sensitive industrial use cases. Fortanix Confidential Computing Manager™, leveraging the power of the new Ice Lake platform, supports the rapid, scalable, implementation of the following potential application use cases:
Organizations that have embarked on the journey towards public cloud migration and that require applications to process sensitive data, including those operating in regulated industries, can now look to confidential computing to reduce the risk of a data breach and to secure their critical workloads and encoded intellectual property.
Originally published at https://fortanix.com.