Skip to main content
banner image
venafi logo

Anjuna Delivers a New Way to Manage Machine Identities in Secure Enclaves

Anjuna Delivers a New Way to Manage Machine Identities in Secure Enclaves

secure-enclaves-in-machine-identity-management
November 19, 2020 | Bridget Hildebrand

Surprisingly, one of the major threats to the security of enterprise IT and cloud computing is insiders. From employees to bad actors with administrative credentials, insiders are dangerous because of the broad systems access they require to do their jobs. Insiders have the ability to misuse or abuse their authorized access to data, networks, and applications to steal or damage data, algorithms, and other sensitive information.

Enterprises everywhere are looking to solve this problem. Secure enclaves establish a more secure, comprehensive approach to protecting data, applications, and storage from insiders and third parties wherever they’re executed and stored—on-premises, and in both private and public clouds.

A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges and encrypting its memory. With additional software, secure enclaves extend that protection to both storage and network data for simple full-stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD and is available on AWS, Microsoft Azure. and other cloud services.

This leaves organizations with a fundamental challenge. How to make data available where appropriate, but ensure it is unavailable to insiders?

Solving one security challenge creates another. How do you effectively manage the machine identities—digital certificates and cryptographic keys—needed for encryption? Anjuna Security, secure enclaves experts, have joined the Machine Identity Management Development Fund to ensure machine identities are fully protected in the process. In this continuing interview series with developers, I have the pleasure of speaking with Ayal Yogev, CEO at Anjuna.


Bridget: Please start by telling me about Anjuna Security.

Ayal: My cofounder Yan Michaelevsky and I started Anjuna because we saw a big problem in the military and commercial world. Yan and I served together in the Israeli military and saw situations where data in insecure locations needed to be protected. Later, I saw a similar issue when I ran product development for OpenDNS (acquired by Cisco), where there were vulnerabilities in the ways keys were protected. This issue was already being addressed in academia. Yan worked on related cryptographic issues while getting his Ph.D. at Stanford with Dan Boneh, a leading academic cryptology researcher.

Anjuna Enterprise Enclaves software provides simple, secure enterprise-class application and data protection, virtually invulnerable to malicious software, IT insiders, and bad actors. This enables IT to safely run workloads within the isolated and encrypted confines of a secure enclave anywhere, and “as is” without recoding or modifying the application’s host, VM or container.

Enclaves probably deserve an explanation.  Put simply, they are a private region of a host’s memory whose contents are protected—unable to be either read or saved by any process outside the enclave itself. Enclaves ensure that any data or applications running within its perimeter are encrypted and unaddressable, even when the host is compromised physically or by malicious software. Enclaves are enabled by secure proprietary instruction sets built into leading CPUs and clouds. Anjuna makes it simple to deploy applications into the secure confines of a secure enclave and extend protection to storage and network communication.


Bridget: How are secure enclaves changing the machine identity challenge for InfoSec and DevOps teams?

Ayal: When security teams need to protect machine identities in cloud and DevOps pipelines, they often consider hardware security modules (HSMs). However, HSMs were developed for fixed data center architectures. Unfortunately, new cloud-based HSM services continue to have these limitations and only move the point of inflexibility to the cloud.

Anjuna solves this problem for DevOps, cloud, and security teams by leveraging local processor security features, including a root of trust, to secure the software and networks that distribute certificates.

By securing the individual application in a trusted execution environment, security architects can rethink and re-architect how they deploy sensitive applications such as secrets and key management. You no longer need to worry about burdensome host access controls, and you can also reduce inflexible security zones. Data and applications are secured by default and inaccessible to anyone or any process.

Without any code or DevOps process changes, Anjuna enables existing applications to enjoy runtime security that avoids the possibility of compromising data in use, at rest, and in motion. Using trusted execution environments supported by Intel® SGX, AMD SEV,  AWS Nitro, and other solutions, Anjuna assures the workload integrity through remote attestation, so that your sensitive application runs only in the designated target environment.


Bridget: How can Venafi customers take advantage of this approach?

Ayal: With sponsorship from the Machine Identity Management Development Fund, we are enabling Venafi customers to protect machine identities without the limitations of traditional HSMs. We have created the configuration, documentation, and required scripts for Venafi Platform agentless provisioning TLS machine identities for Apache and NGINX. We are also delivering the configuration, documentation, and required code for operating Venafi VCert with Anjuna. These will be published to the Anjuna-security GitHub under the Apache 2 license and will be simple to deploy.

 

The Anjuna Enterprise Enclave integration is targeted for availability in Q4 2020. You can learn more from the Venafi Marketplace. And stay tuned for future interviews with Machine Identity Management Development Fund recipients.

 

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.

 

Related posts

 

Learn more about machine identity management.

Like this blog? We think you will love this.
opencredo-venafi-vault-wizard
Featured Blog

OpenCredo Venafi-Vault Wizard: Bringing InfoSec and Developers One Step Closer

Increasing visibility without slowing down developers

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Bridget Hildebrand
Bridget Hildebrand

Bridget is Sr. Manager, Ecosystem Marketing at Venafi. She has over 20 years of experience managing technology partnerships and global channel programs for a broad range of technology organizations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more