Executive Summary
The document presents an in-depth technical analysis of the auditability and explainability of the OBLV deployment system, a solution that supports secure computing with enhanced data security and privacy in organisations
At its core, OBLV utilises confidential computing, also referred to as secure enclaves, for the deployment of applications (containers and pods), ensuring that sensitive data processing occurs in secure and isolated environments. This approach significantly mitigates risks associated with data breaches and unauthorised access. OBLV’s explainable architecture is grounded in a thorough attestation process, which certifies the integrity and authenticity of secure enclaves. The explainability is achieved via manifests, which provide detailed blueprints of internal configurations and operational parameters of each enclave. These manifests cover aspects such internal structure, data flow, logging, authentication protocols, health checks, telemetry, outbound traffic control, and service communication permissions. This level of detail not only enhances the security of the system but also simplifies compliance.
The trust model within OBLV is established on cryptographic attestation and incorporates a certificate chain that traces back to the AWS Root Certificate Authority. Manifests and the trust model coupled with the core building blocks of the OBLV deployment system such as the secure proxy and key management service integrations offer auditability both in real time and via secure logs.
This comprehensive approach to auditability and explainability positions OBLV as a highly secure, reliable, and transparent solution for data processing in risk-conscious environments.
An Overview of OBLV Deployment
OBLV supports users in deploying containers and pods within isolated and verified enclave environments. The system is developed with inherent compliance and risk mitigation, providing a reliable solution for enhancing data processing security.
Key Features of OBLV
Isolated Enclave Environments: OBLV leverages enclave technology to create secure environments for data processing, segregating sensitive operations from other system areas to mitigate risks of data breaches.
Container and Pod Deployment: It enables the deployment of containers and pods into secure enclaves, combining the scalability of containerised applications with a secure operational environment.Rigorous Attestation Process: Each enclave undergoes a detailed attestation to verify its integrity and authenticity, ensuring that operations within are as intended and secure.Non-Persistent Environments: Enclaves in OBLV are non-persistent, eliminating data traces after termination, which is essential for secure handling of sensitive information.Defense-in-Depth via Proxy Attestation: The system provides multiple layers of security verification, including the use of a secure proxy and custom key management service (KMS) rules, before sensitive data is sent to the enclave.
OBLV provides a practical solution that meets the demands of data security and regulatory adherence for those in compliance and risk management. Its capability to transparently isolate and validate data processing environments and clear attestation process with straightforward audit trails, align with high security and compliance regulations. OBLV is a suitable tool for organisations aiming to enhance their data security in a regulated environment.
Explainable Architecture
OBLV introduces an explainable architecture for enclave-based computing, overcoming the limitations of traditional virtual machine image trust. Vanilla confidential computing relies on minimal hash-based verification, which can obscure the detailed architectural view of the system, making it challenging to confirm its operational integrity.
OBLV addresses this by implementing a detailed framework using secondary manifests. These JSON documents provide an in-depth blueprint of each enclave’s internal configuration and operational parameters. This transparency provides a clear, interpretable representation of the system's structure and functioning. Such detail is essential for enhancing transparency, security, and compliance, enabling developers and security professionals to fully understand and verify the system’s operations.
Components of the Secondary Manifests
Internal Structure and Data Flow: The manifests detail the arrangement and interactions of services within each enclave, outlining how data moves and is processed. This ensures intentional, secure data handling that adheres to established policies.
Logging and Authentication Protocols: These documents specify the logging processes and authentication protocols within the enclave. They describe how access is secured and maintained, preserving data integrity and confidentiality.Health Checks and Telemetry: The manifests outline the health checks and telemetry configurations, providing assurance over the level of detail which the enclave makes visible to their administrator.Outbound Traffic and Whitelisting: Control of outbound traffic is a critical security aspect. The manifests details whitelisted Fully Qualified Domain Names (FQDNs) and specify the conditions under which redirects or other routing mechanisms are allowed, ensuring secure external communications.Service Communication and Permissions: The manifests define the communication channels and permissions for services within the enclave, delineating who can communicate with whom and under what conditions. This ensures a controlled environment where each service operates within its authorised scope.
OBLV's explainable architecture, anchored in these comprehensive secondary manifests, significantly enhances the system's security and compliance capabilities. It provides a transparent and detailed view of the enclave's configuration and management, strengthening trust in the system’s security and simplifying compliance with regulatory standards.
Trust Model
OBLV’s trust model is pivotal for the system's security and reliability. It is built on a series of layered attestations, each playing a role in establishing and maintaining a secure and transparent operational environment.
Levels of Attestation in OBLV's Trust Model:
Level | Level of Attestation | Details |
|---|---|---|
Level 6 | Image-Specific Configurations | This level scrutinises the specific configurations of each image, including settings and operational parameters, ensuring alignment with security and operational policies. Deviations, if any, are identified during the attestation process. |
Level 5 | Image-Specific Digest & Signatures | Each image undergoes verification through its unique digest and signature, ensuring data integrity and confirming the image's authenticity. |
Level 4 | Secondary Manifest | The secondary manifest acts as a detailed record of the image's anticipated state, including dependencies and network configurations, for comparison against the actual state. |
Level 3 | Image PCRs | Platform Configuration Registers (PCRs) store measurements of the enclave image and its components to detect any deviations from the official image. |
Level 2 | Certificate Chain | An attestation document signed by a certificate within the AWS Nitro Card establishes a link between the physical infrastructure of the enclave and the official AWS Root Certificate Authority. |
Level 1 | AWS Root Certificate Authority | The foundational level is where the AWS Root CA provides the root of trust for the entire system. |
Attestation and Verification Process
The attestation process in OBLV deployments verifies the integrity and authenticity of the enclave environments. This process includes:
Ensuring Code Integrity: Attestation confirms that the code within the enclaves is unaltered and functioning as intended.
Measuring Against Baselines: The state of each enclave is measured and compared against known, trusted baselines to ensure its authenticity.
Role of Certificate Chain and AWS Root CA
The certificate chain is a vital part of the trust model, tracing back to the AWS Root CA. This chain ensures that each component within the system is authenticated and validated against stringent AWS security standards.
Secondary Manifests and Image Signatures
Secondary manifests and image signatures provide detailed insights into the configurations and state of each enclave, adding another layer of security and integrity.
Incorporating Trust in Operations
This trust model is deeply embedded in every operational aspect of OBLV deployments. From deployment to ongoing management, each step adheres to security, authenticity, and integrity principles, instilling confidence in users about the secure and compliant handling of their data.
Auditing Enclave Environments
The OBLV deployment system supports comprehensive auditing capabilities. Its transparent and intuitive manifests and robust trust model enable real-time auditability for key acquisition and data transmission, as well as retrospective analysis through secure audit logs.
Proxy-Based Auditing
The client proxy in OBLV deployments, available as both a CLI and an SDK, facilitates pre-emptive auditing and securing communications with enclaves. It validates enclave configurations before transmitting sensitive data.
Attestation for Pre-Transmission Validation
Client proxy functions include:
The document presents an in-depth technical analysis of the auditibility and explainability of OBLV deployment system, a solution that supports secure computing with enhanced data security and privacy in organisations
At its core, OBLV utilises confidential computing (also referred to as secure enclaves) for the deployment of applications i.e. containers and pods, ensuring that sensitive data processing occurs in secure and isolated environments. This approach significantly mitigates risks associated with data breaches and unauthorised access. OBLV’s explainable architecture is grounded in a thorough attestation process, which certifies the integrity and authenticity of secure enclaves. The explainability is achieved via manifests, which provide detailed blueprints of internal configurations and operational parameters of each enclave. These manifests cover aspects such internal structure, data flow, logging, authentication protocols, health checks, telemetry, outbound traffic control, and service communication permissions. This level of detail not only enhances the security of the system but also simplifies compliance.
The trust model within OBLV is established on cryptographic attestation and incorporates a certificate chain that traces back to the AWS Root Certificate Authority. Manifests and the trust model coupled with the core building blocks of OBLV Deployment system such as secure proxy and key management service integrations offer auditability both in real time and via secure logs.
This comprehensive approach to auditability and explainability positions OBLV as a highly secure, reliable, and transparent solution for data processing in risk-conscious environments.
Verifying Enclave Configurations: Before data transmission, the proxy assesses the enclave's configurations against predefined standards, ensuring compliance with the user’s security requirements.
Authenticating the Base Image: It attests to the authenticity of the enclave's base image, confirming it runs the approved version of OBLV Deploy EIF, establishing the enclave's integrity.
TLS Integration with Attestation
To enhance data transmission security, OBLV employs TLS with attestation:
Secure Communication: The proxy establishes end-to-end TLS encryption for data interaction with the enclave, safeguarding data during transit.
Attestation-Enhanced TLS: This setup uses enclave attestation and traditional certificate authorities, ensuring that only the verified enclave hosted by the intended domain accesses the data.Linking Identity and Configuration: This method combines the enclave's configuration, verified through attestation, with its identity established by the TLS certificate, ensuring data is accessed only by the intended, verified environment.
Log-Based Auditing
OBLV logs extensive system details for enhanced security and operational transparency. This includes:
Manifests Logging: Real-time logging of manifests provides an audit trail for configuration changes, aiding in compliance and analysis.
Metadata Logging: Detailed records of inbound and outbound communications can be configured to be logged based on the users’ requirements, offering insights into system performance and potential security threats.
Key Management Service (KMS) Controls
OBLV integrates with AWS KMS for additional security and validation. It does this by creating a ****digests of the secondary manifest and integrating these into the attestation document. This digest is representative of the specific enclave configuration. This integration enhances the granularity of security checks in key access, while the creation of the secondary manifest digest can be done on-the-fly those managing the KMS.
AWS KMS first confirms the OBLV base image's authenticity, then checks additional PCRs, including the secondary manifest’s digest, to ensure the requesting enclave's configuration aligns with authorised access parameters.
Reproducible Builds
Reproducible builds are a key aspect of OBLV's trust model, allowing for an exact recreation of enclave environments from specified manifests. This aids in maintaining consistency, transparency, and understanding of any changes during the enclave's lifecycle.
Glossary
AWS KMS (Key Management Service) | A service provided by AWS that allows users to create and manage cryptographic keys and control their use across AWS services and in applications. |
|---|---|
AWS Nitro Card | Hardware component used in AWS Nitro Enclaves for enhanced security. It contributes to the attestation and integrity verification processes. |
AWS Nitro Enclaves | An AWS feature that allows customers to create isolated compute environments to process highly confidential data. |
AWS Root Certificate Authority (CA) | The root certificate authority of AWS’s certificate chain, used for establishing trust in AWS services. |
Attestation | The process of verifying the integrity and authenticity of a system or component, typically by comparing its current state with a known, trusted baseline. |
CLI (Command Line Interface) | A text-based interface used to interact with software and operating systems by typing commands into a console or terminal. |
Container | A lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries, and settings. |
Enclave | In the context of secure computing, an enclave refers to an isolated and secure environment within a hardware system where sensitive data can be processed. |
Image Digest | A cryptographic hash value that uniquely represents a container image, used to verify its integrity. |
JSON | JavaScript Object Notation, a widely used format for configuration and data files. |
Manifest | A file containing metadata about other files, packages, or container images, typically used in software deployments to define what should be included. |
PCR (Platform Configuration Register) | A secure storage area in a computing system that stores measurements (hashes) that reflect the system's state, used for attestation purposes. |
Pod | The smallest deployable unit in Kubernetes, representing a single instance of a running process in a cluster. |
Reproducible Builds | A software development process that ensures that a given source code will consistently generate an identical binary in successive build processes. |
SDK (Software Development Kit) | A collection of software tools and libraries that developers use to create applications for specific platforms. |
Secondary Manifest | A specific document used in OBLV to uniquely specify an enclave’s configuration. Its digest is used as a custom PCR within the attestation document for enhanced security verification. |
TLS (Transport Layer Security) | A protocol that ensures privacy and data integrity between two communicating applications. |