Our latest white paper, written in collaboration with Cambridge-based Trustonic, a leading provider of hardware-enabled security for smart devices, makes the argument that it is time for Trusted Execution Environments (TEEs) to be deployed in the cloud.
Trusted Execution Environments are isolated environments on a device where security-critical functions and services can be executed in a protected manner. They are already well established in the mobile sector of the industry, where, for example, more than 500m devices currently integrate with the Trustonic Security Platform.
Typically services such as device key management, operator lock and content protection often run under the protection of a TEE, which runs alongside a device’s own OS and uses both hardware and software to protect data. The applications running inside the TEE have access to the full power of a device’s main processor and memory, but hardware isolation protects them from any apps running in the main OS — an important factor since phones are no longer closed ecosystems.
TEEs are powerful solutions to current security issues in the smart devices marketplace and are being developed by some of the most recognised names in the industry — Trustonic itself was founded by ARM, G&D and Gemalto — and this paper argues that, with adaptation, they could also be invaluable in securing data in the cloud.
With more and more broadcast industry functions migrating into the cloud, operators can now launch complete pay-TV services from it— data security is becoming ever more important. The problem is that the current Hardware Security Modules used for protecting end customer or service provider data in the cloud are not only expensive, but they lack flexibility and not well aligned with the changes in service demand.
Providing a TEE as an end-customer security solution within the cloud can be both a cost efficient and a flexible addition to existing hardware trust roots that are available in cloud settings.
The problem is that cloud computing environments are significantly different from a front end device in terms of both hardware and software architecture. To use a TEE in this new environment will require work, but our feeling is that the advantages are great enough that any effort will be rewarding.
This paper identifies the requirements for re-deploying the TEE in cloud settings. It presents our ongoing innovative research on implementing “Rack” TEEs using the ARM TrustZone® -enabled processing environments as our basic hardware building block. It contends that dcTEEs (datacenter TEEs) can be used to bridge the security gap that currently exists in cloud platforms, whilst also fitting into the established business models of cloud pay-as-you go operation moving forward.
The growth of the cloud and the transition of data and code from being hosted on dedicated servers owned by service providers, to being held on a shared resource operated by cloud providers mirrors the journey made by mobile devices in 21st century. Here, the mobile phone went from being primarily an embedded device functioning under perimeter security to a general computing device running downloadable apps. The increase in vulnerability that resulted made Trusted Execution Environments both desirable and necessary and we believe the same technology is now a requirement to ensure secure operation of cloud services in the future.
Download the complete white paper below