Google Inc. is touting a better way for enterprises to secure their cloud applications and corresponding data in what it calls a confidential computing environment.

The company is pitching an open-source framework its just released called Asylo, which is designed to provide greater isolation for sensitive cloud workloads.

Google engineers Nelly Porter, Jason Garms and Sergey Simakov explained that Asylo encompasses a framework and software development kit for building applications that run in trusted execution environments. Also known as TEEs, these environments are designed to ensure that attacks against underlying layers of the information technology stack, such as the hypervisor or operating system, won’t be able to impact the application or steal any of its data. TEEs can also prevent against so-called “insider attacks” by workers who might be holding a grudge against their employer.

Google anticipates that Asylo will be given a warm welcome by developers, since TEEs have always required specialized knowledge and tools to build, and most are tied to specific hardware environments. With Asylo, TEEs are suddenly much more accessible because it makes them easy to build atop any hardware, either in the cloud or on-premises.

In addition, Asylo provides services that let developers encrypt sensitive communications to and from their apps more easily. Asylo can also verify the integrity of code running in enclaves, which are the specialized execution environments created by TEEs.

“The Asylo framework allows developers to easily build applications and make them portable, so they can be deployed on a variety of software and hardware backends,” the Google engineers said. “With Asylo, we supply a Docker image via Google Container Registry that includes all the dependencies you need to run your container anywhere. This flexibility allows you to take advantage of various hardware architectures with TEE support without modifying your source code.”

Google said the main advantages of using Asylo instead of other confidential computing methods include ease of use, since it doesn’t require developers to learn any new skills or rewrite their existing applications. The other important advantage is greater portability and flexibility: Asylo-based applications don’t need to be aware of the specifics of their TEE implementation.

Holger Mueller, principal analyst at Constellation Research Inc., agreed that those benefits should appeal to lots of enterprises because there’s a clear demand for secure and tamperproof environments in which they can run their next-generation applications in the public cloud.

“In the past, offerings in this space usually created a hardware dependency, so it’s good to move to the next level with a software dependency to create a TEE,” Mueller said. “Adoption of this new offering beyond Google Cloud Platform will be the key area for executives to watch, as cloud lock-in is the last thing they want to have to incur while moving to more secure computing platforms. If that’s the price to pay, the answer will differ from enterprise to enterprise, but for now it’s good to see the innovation and new options to run next-gen apps in a more secure way.”

Asylo will soon be available via GitHub. Google said it’s planning to introduce version 0.2 of the framework soon, complete with a software development kit developers can use to build enclave applications.

Image: Google