Leveraging Intel® SGX towards Data Loss Prevention
Data Loss Prevention software have a lot to gain from creatively and innovatively leveraging hardware technologies. Intel® SGX is one such technology in Intel's hardware enabled security product line.
What is Intel® SGX?
Intel® SGX provides a hardware assisted trusted execution environment, an enclave, within which select code and data can run in a secure way. It provides the smallest possible attack surface, the CPU boundary.
Widely Covered Usecase:
There has been much talk about leveraging Intel® SGX in secure remote computation wherein a remote entity, possibly in the cloud, establishes a trusted computing environment, in this case by leveraging Intel® SGX. It then establishes an identity for the trusted environment. Once that identity is attested, this remote entity becomes eligible to receive secrets from its owner. The provisioned secret is then ready for secure processing in the remote environment but within a trusted enclave.
Intel® SGX for Data Loss Prevention:
Because of currently prevalent cloud services, remote secure computation use case has gained significant focus, with Intel® itself possibly having designed several aspects of SGX with that in mind. This sole focus however, overlooks a wealth of creative ways in which the SGX CPU feature set extensions itself could be leveraged, DLP software being one such area.
It's core feature, to earmark select code and data for execution in a hardened environment were access control checks enforced at hardware level prevents those earmarked resources from being accessed by other layers of software, however privileged it be, makes for a perfect fit for DLP software.
Watch out for further discussion, proof of concept and more to demonstrate successful use of Intel® SGX towards DLP.
PCI-DSS woefully inadequate when it comes to in-memory payment card data requirement!
What is common between how Target, Home Depot, Neiman Marcus, Michael's, TJ Maxx, Albertsons, SuperValu, Heartland Payment Systems and Viator got hacked? That is, other than the huge financial loss they all incurred? One thing - they all lost their payment card data by way of memory scraping attack irrespective of how the attacker might have initially gained access to their IT infrastructure.
Memory scraping attack has been quite prevalent in the past several years especially in the payment industry. PCI-DSS is the organization that sets the standard for how payment card data must be handled. While it is rather specific in several different aspects and enforces specific requirements as to how payment card data must be stored on disk and handled while in-transit, requirements for handling the same data while in-memory is at best vague and woefully inadequate. Perhaps, proactively enforcing a specific set of requirements for in-memory payment card data as well would help prevent payment card related memory scraping attacks in future. With that in mind, we submitted a RFE to PCI-DSS requesting that they enforce specific requirements as to how in-memory payment card data is handled.
For access to the RFE we submitted, please email info_at_kryptoguard_dot_com.
Founder of KryptoGuard™ technology initiative, product and services.