If your data is encrypted both when it’s stored in databases and when it travels from place to place, you might think you've got all your bases covered. But that still leaves one big blind spot in your data center security strategy: to use the data, you have to decrypt it, which creates a window for attackers to grab it right out of memory.
Multiple ways to address this have emerged, but only one has proven to be practical and has been gaining popularity among data center operators. Similar to the way smartphones store your most sensitive personal data, the approach is to never expose select sensitive application data to the host operating system in unencrypted state at all.
One recent example was an attack that took advantage of the Heartbleed vulnerability. "They were able to grab from memory things that were stored there," Neil Weitzel, director of security research at Cygilant, said.
There are various work-arounds. Some companies replace key data with tokens so they can work with sensitive information without exposing it. Others use types of encryption that preserve functionality, known as homomorphic encryption.
But both tokenization and homomorphic encryption have significant limitations, and neither has seen widespread data center security adoption outside some specific use cases. Plus, any kind of software-based solutions affect performance.
"In the case of homomorphic systems these penalties are currently very high," said Chris Camejo, director of product management for threat intelligence at NTT Security.
Enter hardware-based security enclaves.
If you have a late-model smartphone, you've already seen an example of this approach. The "secure element" in your iPhone or an Android phone stores your biometric information and payment data so that it's never exposed to the rest of the operating system.
The data center security equivalent is Intel’s SGX chip, announced in 2015, which includes a trusted runtime system, where secure private enclaves are set aside to be used by running applications.
Even if a hacker is able to get into the local operating system, they won't be able to eavesdrop on what the applications are doing.
This fall, security vendor Fortanix released a product that takes advantage of the new hardware to protect encryption keys and data while applications are actively using them.
The secure enclave is not available to other applications or the operating system itself, said Ambuj Kumar, co-founder and CEO at Fortanix.
"If you find a zero-day bug in the operating system, the enclave is secure," he said. "If you have a malicious insider with access to the system, the enclave is secure. If you have a physical attack which is able to decrypt all the memory, the enclave is embedded inside the CPU, so it remains secure."
So, for example, if Equifax had been running its applications using the secure enclaves, runtime encryption would have protected it.
"I can find a vulnerability in Apache Struts and use that to escalate permissions, and now I have control over your entire system and over all the applications running on your systems," he said. "But when I try to use that, that's where runtime encryption will prevent that attack."
Equifax attributed the security breach in which hackers gained access to personal information of 145.5 million people stored by the credit bureau to an unpatched instance of the open source web application server Apache Struts.
The Fortanix Runtime Encryption platform allows existing applications to take advantage of the new hardware-based security.
"The application thinks it is operating on decrypted data," Kumar said. "The data always becomes magically available when the program needs it. No application management required to load or unload the data."
Intel's SGX extensions have been on the market since 2016, available for companies’ on-premises data centers and as infrastructure underneath cloud services.
Microsoft Azure, for example, supports the SGX enclave technology in its new Azure confidential computing offering, which became available to early-access customers this September.
Equinix and IBM are also working on supporting secure enclaves.
But runtime encryption isn't a silver bullet for data center security, Kumar warned.
For example, if the application itself is compromised -- either through a vulnerability or through stolen credentials -- the hackers will be able to use it to get access to the data.
Runtime encryption is critical for protecting data in public and multi-tenant infrastructure, such as cloud platforms, said Patrick Gilmore, CTO at the data center operator Markley Group. But it also has a place in on-premises facilities.
"Not all threats are external," he said.