IBM Cloud Data Shield - Max Fang's Notes

# IBM Cloud Data Shield *Enable runtime memory encryption for Kubernetes containers, without modifying applications* Links: [[IBM]], [[Confidential Computing]], [[SGX]] - Is [[SGX]] based - "automatically converts code to be compatible with SGX" - [Docs](https://cloud.ibm.com/docs/data-shield) - Getting started - Configuring the Enclave Manager - Deploying apps with the Enclave Manager - Deploying apps with the API - [Sample apps](https://github.com/ibm-cloud-security/data-shield-reference-apps) ## [IBM Cloud Data Schield](https://www.ibm.com/cloud/data-shield) (Main page) IBM Cloud Data Shield enables users to run containerized applications in a secure enclave on an IBM Cloud Kubernetes Service host, providing data-in-use protection. IBM Cloud Data Shield supports user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels. ### Benefits **Facilitates a cloud model** IBM Cloud Data Shield helps organizations with sensitive data deploy and benefit from cloud computing. **Secures containerized apps** IBM Cloud Data Shield can run containerized apps in secure enclaves on IBM Cloud Kubernetes Service. **Increases visibility** IBM Cloud Data Shield offers better visibility into node security attributes. **Supports DevOps** IBM Cloud Data Shield easily integrates with DevOps pipelines. **Delivers scalability and high availability** IBM Cloud Data Shield uses IBM Cloud Kubernetes Service to bring scalability and high availability to SGX workloads. ### Blog posts (from 2018) about related products - [Intel SGX bare metal servers on IBM Cloud](https://www.ibm.com/cloud/blog/data-use-protection-ibm-cloud-using-intel-sgx) : Learn about data-in-use protection on IBM Cloud by way of Intel SGX. - [Intel SGX in IBM Cloud Kubernetes](https://www.ibm.com/cloud/blog/data-in-use-protection-on-ibm-cloud-kubernetes-service-using-intel-sg) : Learn about IBM SGX bare metal worker nodes for IBM Cloud Kubernetes Service. ## [Case study for IBM Cloud Data Shield](https://www.ibm.com/cloud/smartpapers/confidential-computing-for-total-privacy-assurance/#data-shield-case-study) The tech startup had a breakthrough idea for bringing affordable electricity to remote parts of Africa. Blockchain technologies, built on confidential computing, were key to that vision, providing robust data security in the cloud. The team found a solution in IBM Cloud. Unlike many cloud architectures, IBM Cloud bare metal servers can use an Intel technology called Intel Software Guard Extensions (SGX). SGX enable confidential computing by creating an encrypted “enclave” within the server’s memory that allows applications to process data without other users of the system being able to read it. But building applications that can take advantage of SGX is complex and time-consuming. To get the platform to market quickly, Irene Energy’s developers needed to find a shortcut. IBM Cloud Data Shield helped with the complexity of building SGX-enabled apps. [IBM Cloud Data Shield](https://www.ibm.com/cloud/data-shield) enabled Irene Energy to containerize its applications and run them on SGX-enabled bare metal worker nodes within [IBM Cloud Kubernetes Service](https://www.ibm.com/cloud/kubernetes-service). ==Instead of requiring Irene Energy to design its applications specifically for SGX, IBM Cloud Data Shield automatically converts the code to be compatible with the SGX features. It also provides a catalog of preoptimized components that are designed for developers to easily plug into their applications.== For example, Irene Energy was able to integrate its application with an NGINX web server and a MariaDB database from the catalog within just a few hours. [**Read the full case study**](https://www.ibm.com/case-studies/irene-energy-hybrid-cloud-blockchain/) (6 minute read)