arthead -

Cohesity adds confidential computing to FortKnox

Cohesity is partnering with Intel to bring confidential computing technology to its FortKnox vault service -- a welcome, if limited, security addition, according to experts.

Cohesity's FortKnox, the backup vendor's SaaS vault, now offers new encryption features thanks to a partnership with Intel.

Confidential computing will enable FortKnox customers to encrypt data in memory within the Cohesity Cloud Platform, further securing the data used for restoration. The capability uses Intel's Software Guard Extensions (SGX), the chipmaker's confidential computing technology. SGX ensures data can only be decrypted within an Intel processor through Intel's trusted execution environment (TEE), eliminating the cryptographic key visibility in other parts of the stack and reducing the possible attack surface, according to Intel.

Cohesity's cloud platform handles the confidential computing process to eliminate effects on performance, and the feature comes at no extra charge for FortKnox customers. FortKnox, which uses AWS and Microsoft Azure for storage, is priced according to the amount of data under management and cloud storage consumed.

Cohesity's confidential computing feature is unique among backup vendors, according to analysts. Most confidential computing usage is focused on encrypting data actively in memory, said Christophe Bertrand, an analyst at TechTarget's Enterprise Strategy Group.

"It's a good example of what can be done if you combine technologies at every level of an architecture here," Bertrand said. "It confirms the fact [that a vendor] can't do it alone. They need an ecosystem of partners."

Encryption on a chip

Confidential computing is useful for backup technology as it enables customers to further guarantee the data is free of corruption or infection vectors, said Raj Das, vice president of platform product management at Cohesity.

Customers who have to use data stored in FortKnox are likely recovering from a ransomware attack, he said, so customers want to ensure the data they are recovering is free of infection.

"FortKnox is your last known good state to recover from in the case of ransomware," Das said. "When you want to recover, you want to make sure that copy is good."

The capability should also improve protection against exfiltration, as the data will remain encrypted while it's processed even for privileged users, according to Das. Cohesity customers can also use the Intel Trust Authority security suite to further verify their encryption security. The suite can verify the legitimacy of code running through an Intel processor by checking digital signatures on a program associated with an Intel TEE.

The vendor is looking to expand this confidential computing technology and partnership with Intel in the future, Das said, through private cloud and on-premises offerings.

Soon to be standard

Confidential computing in backup services could be seen as a step too far for some enterprise IT organizations, according to Todd Thiemann, an analyst at Enterprise Strategy Group.

Offering the capability to customers as part of the FortKnox suite is valuable, he said, but he doesn't anticipate customers going out of their way to create or demand similar features within backup software.

If you're super paranoid about security, you may want to do this.
Todd ThiemannAnalyst, Enterprise Strategy Group

Plus, confidential computing can create incompatibilities between systems. CPU hardware from Intel, AMD and Arm each uses its own form of encryption technology, which could make encrypted data from an Intel-based system unusable by an AMD-based system, Thiemann said. A performance lag is also possible if the implementation runs directly within a customer's environment.

"I don't anticipate it being so widespread unless there's a threat that gives everybody pause," Thiemann said. "If you're super paranoid about security, you may want to do this."

Some incompatibilities can be eliminated through software abstraction from third-party vendors such as Fortanix or Anjuna, he added.

Data pilferers aren't likely to go after data in use by the computer's memory or CPUs, said Marc Staimer, founder and president of Dragon Slayer Consulting. The difficulty in the hack isn't worth it compared with gaining access to an application itself and its associated data stores through phishing or ransomware, he added.

"It's possible but highly unlikely someone is going to steal the data from the computer memory," Staimer said. "It's much easier if you're stealing from the application."

Cohesity's offering offers more protection, but the Intel-powered encryption capabilities will likely become a hardware standard within the near future.

"This gives [Cohesity] the cachet they're good with cyber resilience," he said. "[But confidential computing] is going to become a feature within CPUs."

Tim McCarthy is a news writer for TechTarget Editorial covering cloud and data storage.

Dig Deeper on Data backup security

Disaster Recovery