Source: Introducing Asylo: an open-source framework for confidential computing from Google Cloud Platform
By Nelly Porter, Senior Product Manager, Google Cloud; Jason Garms, Engineering Director, Google Cloud Security; Sergey Simakov, Technical Program Manager, Google Cloud Security
Protecting data is the number one consideration when running workloads in the cloud. While cloud infrastructures offer numerous security controls, some enterprises want additional verifiable isolation for their most sensitive workloads—capabilities which have become known as confidential computing. Today we’re excited to announce Asylo (Greek for “safe place”), a new open-source framework that makes it easier to protect the confidentiality and integrity of applications and data in a confidential computing environment.
Asylo is an open-source framework and SDK for developing applications that run in trusted execution environments (TEEs). TEEs help defend against attacks targeting underlying layers of the stack, including the operating system, hypervisor, drivers, and firmware, by providing specialized execution environments known as “enclaves”. TEEs can also help mitigate the risk of being compromised by a malicious insider or an unauthorized third-party. Asylo includes features and services for encrypting sensitive communications and verifying the integrity of code running in enclaves, which help protect data and applications.
Previously, developing and running applications in a TEE required specialized knowledge and tools. In addition, implementations have been tied to specific hardware environments. Asylo makes TEEs much more broadly accessible to the developer community, across a range of hardware—both on-premises and in the cloud.
“With the Asylo toolset, Gemalto sees accelerated use of secure enclaves for high security assurance applications in cloud and container environments. Asylo makes it easy to attach container-based applications to securely isolate computations. Combining this with Gemalto’s SafeNet Data Protection On Demand paves the way to build trust across various industry applications, including; 5G, Virtual Network Functions (VNFs), Blockchain, payments, voting systems, secure analytics and others that require secure application secrets. Using Asylo, we envision our customers gaining deployment flexibility across multiple cloud environments and the assurance of meeting strict regulatory requirements for data protection and encryption key ownership.”
— Todd Moore, Senior Vice President of Data Protection at Gemalto
The Asylo framework allows developers to easily build applications and make them portable, so they can be deployed on a variety of software and hardware backends. With Asylo, we supply a Docker image via Google Container Registry that includes all the dependencies you need to run your container anywhere. This flexibility allows you to take advantage of various hardware architectures with TEE support without modifying your source code.
Asylo offers unique benefits over alternative approaches to confidential computing:
With Asylo, we can create the next generation of confidential computing applications together with the community. In version 0.2, Asylo offers an SDK and tools to help you develop portable enclave applications. Coming soon, Asylo will also allow you to run your existing applications in an enclave—just copy your app into the Asylo container, specify the backend, rebuild, and run!
We look forward to seeing how you use, build on, and extend Asylo. Your input and contributions will be critical to the success of the project and ensure Asylo grows to support your needs.
It’s easy to get started with Asylo—simply download the Asylo sources and pre-built container image from Google Container Registry. Be sure to check out the samples in the container, expand on them, or use them as a guide when building your own Asylo apps from scratch.