Secure Enclaves: What They Are and What to Look for in a Solution
Cyber threats are ubiquitous these days, and companies are scrambling to find better ways to protect themselves. But in the world of cybersecurity, not all data is equal, which begs the question: What data should I protect?
For instance, it’s one thing to protect routine customer orders, but credit card numbers deserve extra protection. Likewise, access to sensitive financial information related to mergers, acquisitions, or IPOs needs to be limited to a small group of people. The problem is - it’s impractical to give every piece of information the level of protection necessary to support a small subset of sensitive data.
Enter secure enclaves - a new approach businesses are taking to identify, isolate and protect highly-sensitive information.
What is a Secure Enclave?
Modern computing devices often have a special hardware chip dedicated to storing critically important information like encryption keys and hashes. In PCs, this is a Trusted Platform Module (TPM), while in mobile devices like Androids and iPhones, it’s called a Secure Enclave. These devices wrap an extra layer of protection around critical information within a secure system.
This concept extends to other scenarios. For example, a bank building or jewelry store is secure, but the safe or vault inside is highly secure. A secure enclave is an ultra-secure space within a larger secured system. Secure enclaves are being extended to data storage in organizations to identify highly sensitive information and protect it in a dedicated, purpose-built secure repository.
In a previous blog, we explored the concept of classifying data into sensitivity levels to protect it. Level 0 is public information, level 1 is routine company information, and level 2 is sensitive company information that may be restricted to a department. Level 3 is highly sensitive information that could jeopardize the health of the entire company if leaked. Level 3 information is often restricted to executives or only critical employees and is highly regulated. An example is Controlled Unclassified Information (CUI) - government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government wide policies. The leakage of this type of data would have a direct impact on national security.
In the context of an investment firm, the exposure of level 3 information on pending deals, mergers and acquisitions, or IPO information could destroy an organization financially. For most businesses, the exposure of employee personal information, such as human resources files and PII, can harm those individuals.
In all cases, the risk of harm has led authorities to create regulations and standards to protect the information. For example, credit cards are protected by PCI-DSS, personal health information is protected by HIPAA, while FINRA and SOCS2 protect financial information. CMMC contract requirements protect CUI/FCI associated with DoD projects.
Why a Secure Enclave?
There is a reason a bank vault is made of metal, but the entire bank is not. It’s prohibitively expensive to secure everything when only a small amount of material needs extra protection. In the same way, having a secure enclave within your data environment is a sensible way to protect the information that really needs it without spending large sums of money to protect every piece of data.
Reducing the scope of a highly secure data repository can also simplify compliance by narrowing the implementation of access and sharing controls on a smaller system rather than the entire enterprise. Regular users who don’t need access to sensitive data don’t need to be encumbered by additional security restrictions, policies, technology, and training. And administration, reporting, and monitoring become easier and more focused on a smaller attack surface.
What To Look For in a Solution?
A secure enclave doesn’t have to be limited to simple file storage. By including appropriate capabilities inside the secure environment, it can also serve as a capable workspace for employees who need to work with highly sensitive information. Here’s a rundown of what you need to look for:
A Trusted Workspace For Users To Collaborate
To work with sensitive information, your users need to collaborate within the space. They will need flexible document search and access across a range of devices. They will also need document version control for co-edits, comments, and annotations.
Native integrations with applications users are already familiar with, like Google Workspace and Microsoft 365 will reduce the learning curve. While users will also need to share sensitive data under carefully controlled situations, features like preview-only, expiring links, watermarking, file-level passwords, and recipient revocation are required to support the sharing use case.
Look for solutions that provide:
- Flexible document search to find the “needle in a haystack” document quickly
- Access across a wide range of devices to be able to work from home or the office
- Document version control for co-edits, comments, and annotations so that users can revert back to previous versions if mistakes are made
Advanced Security & Access Controls
Secure enclaves require advanced security controls that protect the data and control access. Critical components include data protection features like encryption (at-rest and in-flight) and auditable activity logs, along with role-based access controls (RBAC) with tools to manage groups and users. Advanced analytics are required to detect and prevent unauthorized access and anomalous insider behaviors.
In addition to monitoring and managing user behavior, tools that find sensitive data and automate lifecycle policies, including retention, archival, and deletion (RAD) are very important to support a legally defensible retention policy.
Look for solutions that provide:
- File encryption, access control and auditable activity logs to control, and understand who and how users access the system
- Centralized policy controls for restricting permissions to users and groups to enable control over who can see sensitive documents and what they can do with those documents
- Analytics to detect and prevent unauthorized access and anomalous insider behavior to limit and provide early detection of insider threats
- Preview-only, file-level passwords, expiring links, watermarking, encrypted file delivery, and recipient revocation allow users to customize access to particular business needs.
Sensitive File Lifecycle Management
Even with controls in place to govern sensitive information, old, forgotten files still present a liability- both in space consumed and the risk of compromise. Therefore, you’ll need a process to automatically delete or archive old files while maintaining a retention policy to preserve files that still need to be accessed. Just as important, you’ll need to be able to automate policies for archival, retention, and deletion to limit any administrative burden.
Look for solutions that provide:
- Archiving of obsolete and sealed documents to reduce storage costs and protect you from exposure of those documents if hacked
- Automated document retention and deletion based on the contents of each document and not solely on location or metadata.
- Audit trail and e-discovery policies for critical documents to support discovery for legal matters
Flexible Deployment
A system that can be configured and deployed easily, with the ability to scale as large as possible in the future without disruption, is very important. This would include intuitive, automatic migration tools, and the ability to purchase only the storage and seats you need for your business.
Look for solutions that provide:
- Options to purchase only the seats you need, for the people that need them
- Deployment in a private cloud or on-premises solutions
- Fast upload and bulk upload of information so that migration is simple and large projects can be managed easily and quickly
- A technically-isolated environment embedded within a wider ecosystem
Egnyte’s Secure Enclaves
Egnyte takes a multi-cloud approach to secure enclaves by supporting data stored in the most common storage repositories such as Google, SharePoint, OneDrive, Box, or Dropbox. Egnyte can scan those sources and discover critically sensitive information where it resides. Once located, the system can monitor the sensitive data where it lives, or migrate it to a more secure environment if needed.
Egnyte’s secure enclave solutions provide:
- Secure and controlled environments for sensitive data sharing and management
- Inherited security controls from a pre-built reference architecture
- Isolated environments that limit compliance scope
If you are an existing Egnyte customer, you can get additional information about secure enclaves for storing data associated with U.S. federal government projects and CMMC solutions for Department of Defense projects. Egnyte continues to innovate in this space, and you’ll hear announcements about more secure enclave solutions in the coming future.