How to Build a Secure Enclave on AWS

How to Build a Secure Enclave on AWS

Over the last few years there has been significant security improvements in public clouds. For example, AWS now offers transparent data encryption, key management and secure compute features. Unfortunately, even with the advances in public cloud computing, organizations like financial institutions have been unable to leverage these services because many analysts work in secure facilities that have no Internet access.

 By integrating a Software Defined Perimeter and Trust Assessment technology, Indecium’s solution can unlock the agility and cost benefits of public clouds for organizations that must operate in secure facilities. Data analysts working in physically isolated locations can now connect to Secure Enclaves in public clouds without compromising the integrity of their environment.
 Indecium’s solution utilizes the Software Defined Perimeter (SDP) to create a secure application layer encrypted connection from the authorized user’s device directly to the protected application in the public cloud. The authorization for trusted connectivity is typically managed using Active Directory in the data center. Connectivity between the data center and public cloud is either via IPSec or MPLS (or more recently SD-WAN).

Secure Enclaves perform like an internal data center application from a performance and connectivity aspect. Conceptually Secure Enclaves provide a new compute model in which the “cloud is migrating inside the regulated data center” versus the existing “migrating to the cloud” design.

    • A Secure Enclave has many interesting security attributes that differentiate from existing hybrid public-private cloud designs. First, one of primary barriers that regulated entities have when utilizing public cloud is that access to cloud resources is not allowed due to the risk of unauthorized data access.


      •The Secure Enclave ensures only users at facilities controlled by the enterprise who also have valid data center access can access protected applications.


      Second, a new generation of laterally moving malware which is able to destroy or steal data by pivoting thru the authorized user’s device needs to be blocked. 

       •Indecium’s solution utilizes a Software Defined Perimeter (SDP) application layer connection model that blocks laterally moving malware.

      Our solution allows the strict partitioning and role based access that is a standard feature of regulated data centers to be re-created in public cloud environments


      For entities like financial and government agencies the Secure Enclave is a significant breakthrough as it allows them to benefit from the agility and cost benefits of the AWS commercial marketplace.


      Stay tuned as we share our lessons learned addressing challenges with confidentiality and the cloud by signing up for our updates.