Most webservices require a SQL database as a backend to store data. Such a SQL database typically contains data that must be kept confidential. For example, this database might contain social security numbers, credit card information, and in some cases, even passwords. Clearly, such database needs to be protected from unauthorized accesses to keep this data not only confidential but also to ensure the integrity of this data.
The standard approach to run such a database in the cloud is to run a database inside a Virtual Machine (VM) that runs on top of a Physical Machine (PM). Each VM runs its own operating system and the PM runs a host OS and a hypervisor that multiplexes the PM between the VMs. Evidence is, demonstrating that the standard approach is unable to provide the level of protection that many applications need. SERECA has some unique features - or Unique Selling Points (USP) - that provide superior protection also from priveleged users (e.g. the system administrator or the cloud provider) and privileged software (e.g. the OS or the Hypervisor). These are briefly described in the following
- USP-1: SERECA platform keeps the application keys confidential
A good database will support transparent encryption of all files it stores in the file system. Moreover, it will encrypt all traffic to/from its clients, typically, using TLS. Nevertheless, this is not sufficient to keep the data confidential: First, the database needs to store the encryption key for its encrypted files as well and the key for its TLS certificate. Such keys could be stored in a key store but to retrieve a key, one tries to restrict access to the keys to the database only. However, anybody with root access on the VM can also gain also access to these keys. Second, anybody with root access on the PM, can also gain access to these keys - either by impersonating root on the VM or by just dumping the in memory content of processes running in the VM.
Running the database in the SERECA platform will keep the keys of the database confidential. Only the database can access to its keys – neither the root user on the VM nor the root user on the PM has access to these keys.
- USP2: SERECA keeps the in-memory state confidential
Instead if trying to retrieve the encryption keys of the database, a root user could just dump the in memory state of the database to get access to confidential data like encryption keys, passwords and credit card numbers. The SERECA platform keeps all in memory data encrypted and only the application itself has access to the memory.
- USP3: SERECA protects the integrity of applications
Another way to gain access to the data of the database would be to modify the database such that the modified database logs or even modifies confidential data. The Sereca platform protects the integrity of the application, i.e., only the unmodified database program can access the data.
- USP4: SERECA ensures end-to-end security
To protect the confidentiality and integrity of the data, we need to ensure that all data transferred via the network, at rest in the storage system and being processed by the application is protected. The SERECA platform protects all steps and can transparently protect all steps in case the application misses some protection like, for example, file encryption. In our use case, the database can protect the integrity and confidentiality of the files. However, SERECA provides faster encryption and hence, we use the SERECA provided file encryption mechanism.
- USP5: SERECA platform provides application-oriented security
Traditionally, to trust an application, we need to trust the complete system stack, i.e., the hypervisor, the operating system of the host system, the operating system of the VM and all users with root access to these components. In the SERECA platform, we only need to trust the application and its libraries: the SERECA platform provides application-oriented security. SERECA itself is part of the libraries linked with the application.
- USP6: SERECA applies a very light-weight deployment mechanisms
VMs contain a complete operating system. VM image sizes of these operating systems are hundreds of megabytes: the most recent CentOS (Sept 2016) is 857MB large while the most recent Ubuntu image is 310MB large. SERECA uses containers instead of VMs. Containers are OS-based virtualization mechanism. They are typically considered less secure than VMs. However, SERECA ensures the security of containers. In comparison, the image size of the containers are quite small: 2MB for busybox or 5MB for alpine. We ship SERECA secure containers with minimal image sizes.
- USP7: SERECA ensures ease-of-use
SERECA uses a wrapper around the Docker engine to deploy applications. Docker is very popular since it simplifies the deployment of cloud native applications. The SERECA platform provide the same installation mechanism but for application with end-to-end security. In this use case, we demonstrate how to deploy a database with the SERECA platform.