Google Cloud Platform
Introducing Asylo: an open-source framework for confidential computing
Protecting data is the number one consideration when running workloads in the cloud. While cloud infrastructures offer numerous security controls, some enterprises want additional verifiable isolation for their most sensitive workloads—capabilities which have become known as confidential computing. Today we’re excited to announce Asylo (Greek for “safe place”), a new open-source framework that makes it easier to protect the confidentiality and integrity of applications and data in a confidential computing environment.
Asylo is an open-source framework and SDK for developing applications that run in trusted execution environments (TEEs). TEEs help defend against attacks targeting underlying layers of the stack, including the operating system, hypervisor, drivers, and firmware, by providing specialized execution environments known as “enclaves”. TEEs can also help mitigate the risk of being compromised by a malicious insider or an unauthorized third-party. Asylo includes features and services for encrypting sensitive communications and verifying the integrity of code running in enclaves, which help protect data and applications.
Previously, developing and running applications in a TEE required specialized knowledge and tools. In addition, implementations have been tied to specific hardware environments. Asylo makes TEEs much more broadly accessible to the developer community, across a range of hardware—both on-premises and in the cloud.
With the Asylo toolset, Gemalto sees accelerated use of secure enclaves for high security assurance applications in cloud and container environments. Asylo makes it easy to attach container-based applications to securely isolate computations. Combining this with Gemalto’s SafeNet Data Protection On Demand paves the way to build trust across various industry applications, including; 5G, Virtual Network Functions (VNFs), Blockchain, payments, voting systems, secure analytics and others that require secure application secrets. Using Asylo, we envision our customers gaining deployment flexibility across multiple cloud environments and the assurance of meeting strict regulatory requirements for data protection and encryption key ownership.
The Asylo framework allows developers to easily build applications and make them portable, so they can be deployed on a variety of software and hardware backends. With Asylo, we supply a Docker image via Google Container Registry that includes all the dependencies you need to run your container anywhere. This flexibility allows you to take advantage of various hardware architectures with TEE support without modifying your source code.
Asylo offers unique benefits over alternative approaches to confidential computing:
- Ease of use. With Asylo, it’s easy to create apps that take advantage of the security properties of TEEs. You won’t need to learn a completely new programming model, or rewrite your app.
- Portability and deployment flexibility. Asylo applications do not need to be aware of the intricacies of specific TEE implementations; you can port your apps across different enclave backends with no code changes. Your apps can run on your laptop, a workstation under your desk, a virtual machine in an on-premises server, or an instance in the cloud. We are exploring future backends based on AMD Secure Encryption Virtualization (SEV) technology, Intel® Software Guard Extensions (Intel® SGX), and other industry-leading hardware technologies that could support the same rebuild-and-run portability.
- Open source. As an open-source framework, everyone can take advantage of confidential computing technology. Keep on the lookout for Asylo’s rapidly-evolving capabilities!
The Asylo roadmapWith Asylo, we can create the next generation of confidential computing applications together with the community. In version 0.2, Asylo offers an SDK and tools to help you develop portable enclave applications. Coming soon, Asylo will also allow you to run your existing applications in an enclave—just copy your app into the Asylo container, specify the backend, rebuild, and run!
We look forward to seeing how you use, build on, and extend Asylo. Your input and contributions will be critical to the success of the project and ensure Asylo grows to support your needs.