Authored by: Yunge Zhu (Intel, Xeon Customer Solution Engineer), Edmund Song (Intel, Principal Engineer), Zhe Fu (Alibaba Cloud, Research Scientist).
Introduction
Data security and privacy protection have become hot topics globally, especially in the era of cloud computing and big data. With people increasingly paying attention to data security and privacy protection, more countries are strengthening their data protection regulations, such as the European Union's General Data Protection Regulation (GDPR) and China's Personal Information Protection Law (PIPL). Consequently, businesses need to be more cautious and compliant in processing and storing user data. Against this background, the development of confidential database technology has emerged. Confidential databases can solve data security issues end-to-end across different application scenarios, leading to rapid development and industry recognition. Alibaba Cloud ApsaraDB Confidential Database, combined with Intel® Trust Domain Extensions (Intel® TDX) and Alibaba Cloud security defenses, can effectively defend against security threats from both outside and inside the cloud platform, which helps protect user data from leakage.
Confidential Computing on Intel® Xeon® Scalable Processors
Reliable Security Engines for Hardware-Based TEE
To help protect data in use and enable confidential computing, Intel has developed and contributed two innovative hardware-based security engines – Intel® Software Guard Extensions (Intel® SGX), an application-level isolation technology, and Intel® TDX, a virtualization-level isolation technology. Furthermore, Intel® TDX can also easily extend support to heterogeneous Trusted Execution Environment (TEE) usage for a more comprehensive confidential computing solution. With these two built-in security technologies, the 5th gen Intel® Xeon® Scalable processors can provide holistic confidential computing capabilities. These capabilities make it possible for CSPs to offer IaaS, PaaS and SaaS applications in a hardware-based TEE without requiring modifications to their existing applications.
Figure 1. Confidential Computing on Intel® Xeon® Scalable Platform
ApsaraDB Confidential Database Enabled with Intel® TDX
Alibaba Cloud ApsaraDB adopts confidential database technology to protect sensitive user data while still allowing for all queries, transactions, and other operations transparently. In contrast, traditional databases use staged protection measures, such as TLS (Transport Layer Security), TDE (Transparent Data Encryption), and RLS (Row Level Security), for data at full stages of data processing.
- Confidential Database (Hardware Enhanced Edition): Building upon the Confidential Database (Basic Edition), this kind of databases leverage TEE technologies like Intel® SGX and Intel® TDX to ensure that all services of the confidential database run within a trusted execution environment, isolated from any security threats external to the database instance. The trust boundary is limited to the database system components as well as the underlying guest operating system.
Figure 2. Security Levels of ApsaraDB Cloud Database
Confidential databases (Level 3 and Level 4) employ confidential computing, allowing data to be encrypted on the client side (user side) and remain exclusively in ciphertext form on untrusted servers. Despite this, they still support all database transactions, queries, analyses, and other operations. The employment of confidential computing prevents administrators (such as DBAs) and other unauthorized personnel from accessing plaintext data, achieving a state where the data is usable but not visible within the database.
For Level 3 security, Alibaba Cloud has officially released the ApsaraDB Confidential Database Basic Edition of PolarDB MySQL and RDS MySQL. To provide users a stronger security option (Level 4), Alibaba Cloud worked with Intel to build the ApsaraDB Confidential Database Hardware Enhanced Edition with Intel® TDX based on the forementioned Basic Edition.
ApsaraDB Confidential Database Benefits with Intel® TDX
- Confidential Computing Isolation: As mentioned above, Intel® TDX introduces a new virtual guest environment , termed "TD", through utilizing Intel® Virtual Machine Extension (Intel® VMX) and Intel® Multi-Key Total Memory Encryption (Intel® MK-TME). This TD can be isolated from other TDs, instances, as well as underlying system software components. The enforcement of these security measures is accomplished by the TDX Module operating in an enhanced security privilege mode - Secure Arbitration Mode (SEAM).
- In-flight Memory Encryption with Outstanding Performance: Intel® TDX enables users to encrypt sensitive data in-flight through a built-in memory encryption engine in the integrated memory controller (IMC) of CPU processors. This approach eliminates the additional overhead in traditional confidential databases. By running the database operation engine in an Intel® TDX-based TEE, when the cloud database is processing user sensitive data, the state of the data can always be protected confidentially while offering outstanding performance compared to traditional data protection methods.
- Easy-to-Use for Hyperscale Deployment: The “lift-and-shift” simplifies the migration of complex database systems to confidential computing. In addition, Intel® TDX also provides rich cloud operation capabilities for hyperscale deployment, such as live migration and TCB upgrades without service interruption. All these reduce the operation and maintenance costs of confidential databases and improve overall availability.
Figure 3. Intel® TDX Technology
With Intel® TDX, the sensitive user data will be always returned in an encrypted state, preventing data leakage even if database accounts are compromised. Besides, Intel® TDX also strengthens the encryption protection for the runtime memory of databases. Combined with Remote Attestation and Intel® TDX, the Confidential Database Hardware Enhanced Edition of ApsaraDB family offers an end-to-end secure key distribution mechanism, safeguarding against various security threats from the platform infrastructure layer.
Furthermore, ApsaraDB Confidential Databases support comprehensive SQL query capabilities and are compatible with standard databases, with performance close to that of plaintext data according to TPC-C benchmarks. They offer a transparent and seamless client access for applications, requiring no code changes, and are compatible with ecosystem tools such as DTS and DMS, facilitating easy application migration.
Figure 4. ApsaraDB Confidential Database for MySQL
Given the above advantages, ApsaraDB Confidential Database can provide stronger protection for data in use and better meet the security needs of the following scenarios:
- Maintenance Security: In common scenarios where the data owner is the application service provider, the confidential database can prevent database service and operation personnel from accessing business-sensitive data while ensuring the normal operation of the database.
- Data Security Compliance: In scenarios where the owners of certain data (such as health data and financial data) are the end users themselves, the confidential database can prevent application service providers from accessing the private plaintext data while providing data management and analysis capabilities. Furthermore, in such scenarios, the confidential database can also help application service providers meet compliance requirements for sensitive data processing.
- Secure and Reliable Multi-party Data Sharing: In scenarios of multi-source data joint analysis, the confidential database can help ensure that each party’s data is not seen or acquired by other parties involved in the multi-party data collaborative computation.
Benefiting from Intel® TDX and Alibaba Cloud Confidential Database technology, cloud tenants who have high secure requirements for cloud databases can adopt the ApsaraDB Confidential Database family to gain extremely stringent data security.
Figure 5. Typical Application Scenarios of Confidential Database
Functional Overview
In Alibaba Cloud ApsaraDB Confidential Database, data remains encrypted throughout its entire lifecycle. Once data exits a trusted environment, it remains in an encrypted state until it reaches authorized recipients. Only at this point, such as within trusted client-side business systems, is the data decrypted. Any direct database connections will only access encrypted data and cannot read plaintext information.
ApsaraDB Confidential Database is supported across Alibaba Cloud RDS MySQL, PolarDB MySQL, RDS PG, and PolarDB PG. It supports all MySQL syntax, and the impact on stability and performance is minimal.
End users of the application retain full ownership of the data and have access to plaintext or desensitized information. In contrast, application and database developers and operators can only interact with encrypted data, effectively mitigating the risk of insider threats.
The database allows for the definition of custom sensitive data rules, enabling the encryption of critical information such as identity card numbers, addresses, and user phone numbers according to specific needs. The process of defining encryption rules can be governed through Alibaba Cloud's RAM system. This ensures that DBAs and developers operate under the principle of least privilege, preventing unauthorized alterations to rules and the potential export of plaintext data. After the encryption rules are configured, users can query the database through a MySQL client, ensuring that sensitive data is always presented as ciphertext while non-sensitive data appears in plaintext.
Figure 6. Direct database connections will only access encrypted data.
Integration into business systems
Integrating ApsaraDB for Confidential Computing into business systems requires only three lines of code. A client compliant with the Java JDBC standard interface, based on the community-standard MySQL JDBC, is provided, enabling seamless integration with frameworks such as Spring, Druid, and MyBatis.
When executing any SQL query, the ResultSet is prefetched on the JDBC side, decrypted, and then returned, making the encryption and decryption processes completely transparent to the application.
To use the client, include the following dependency in your Maven project.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-encdb-mysql-jdbc</artifactId>
<version>1.0.5</version>
</dependency>
To modify a Spring application, three steps are required: replacing the original MySQL driver in the configuration file with the client driver (Line 1), updating the URL from the community format to the confidential database format (Lines 2), and configuring a key in the configuration file (Line 3). For key management, Alibaba Cloud KMS can be employed, though this will necessitate the configuration of additional Alibaba Cloud AK and SK information. Besides Java, SDKs for GoLang, Python, and other languages are also provided.
# Line 1:
# Original driver configuration
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
# New driver configuration
spring.datasource.driver-class-name=com.aliyun.encdb.mysql.jdbc.EncDriver
# Line 2:
# Original URL configuration
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/xxx
# New URL configuration
spring.datasource.url=jdbc:mysql:encdb://127.0.0.1:3306/xxx
# Line3:
MEK=00112233445566778899aabbccddeeff
Summary and Outlook
Given the increasing focus on securing cloud services, Alibaba Cloud and Intel recognize the significance of fostering applications and ecosystems to advance and widely adopt confidential computing technology.
Ensuring the security and privacy of customer data is a top priority for cloud service providers, and providing customers with effective data security and privacy protection is one of the most important principles that Alibaba Cloud adheres to. Alibaba Cloud offers cloud end user with rich data protection and security services by partnering with Intel to enable the confidential computing capabilities of Intel® Xeon® Scalable processors into cloud IaaS, PaaS, and SaaS. ApsaraDB Confidential Database, based on Intel® TDX, offers stronger data security defenses and delivers obvious advantages in terms of application development, functionality, and performance for high-security cloud business scenarios.
Looking to the future, Alibaba Cloud and Intel will further collaborate to create a more secure, open, and reliable cloud computing infrastructure, catering to a broader range of industries and fields.
Reference Link:
1.PolarDB MySQL:
https://www.alibabacloud.com/help/en/polardb/polardb-for-mysql/user-guide/confidential-engine (in English)
https://help.aliyun.com/zh/polardb/polardb-for-mysql/user-guide/confidential-engine (in Chinese)
2. RDS MySQL:
https://www.alibabacloud.com/help/en/rds/apsaradb-rds-for-mysql/feature-overview (in Chinese)
https://help.aliyun.com/zh/rds/apsaradb-rds-for-mysql/feature-overview (in Chinese)
Yunge is a Xeon Customer Solution Team engineer (DCAI China). He focuses on Confidential Computing collaborations with China CSPs and support Intel customers to enable Intel SGX and TDX technologies. He is also the maintainer of Intel opensource project CCZoo: https://github.com/intel/confidential-computing-zoo.