Fortanix Builds Hardware Security Wall Around Plaintext Search

Fortanix is bringing hardware security technology to database search with Confidential Data Search, with the goal to help organizations process highly sensitive data in databases. Fortanix's technology uses confidential computing technologies to allow data to be searched within the hardware vault.

Various encryption schemes and technologies are used to protect data while at rest and while being transported between systems. Confidential computing provides layers of hardware protection so that data remains secure even while it is being processed. Data is stored in a secure hardware vault, authorized parties need a code to unlock the vault, and the data is processed inside without ever leaving the vault.

Advancements in chip technology have made it possible to build these secure vaults directly inside chips. The chip makers have also baked in hardware mechanisms called attestation, which ensures only authorized parties can access data in secure vaults.

Homomorphic encryption is typically used when banks and other large enterprises need to offer the ability to search the database without exposing the unencrypted information, because that scheme allows users to work directly on encrypted data without turning it into plaintext. However, that form of encryption may not be the best for some types of searches, says Richard Searle, vice president of confidential computing at Fortanix. He notes that homomorphic encryption search gets slower and complicated with complex query requests.

"You need to perform that search in plaintext, and the only way to do that is within the confidential computing trusted execution environment, where it is shielded from the outside, there's no human access, no external application access, no operating system access," Searle says. "You can run the query in the same way as you would in an unsecured world."

Searle also notes that in many cases, vendors using homomorphic encryption are working with nonstandard hardware — not off-the-shelf Intel Xeon CPUs or standard server blades.

Fortanix also supports Intel's Trust Domain Extension (TDX) module, which is a confidential computing technology suited for artificial intelligence (AI) applications. Companies can feed diverse information into secure vaults to enhance proprietary AI learning models. The third-party data set can be allowed to enter and exit the vault, with no information retained or stolen.

Developing a Market for Confidential ComputingThe market will have to prove Fortanix's technology, and the company will have to show a dramatic performance improvement or dramatic cost savings to gain a foothold, says James Sanders, principal analyst at CCS Insight."The technology behind this is secondary to the value it must demonstrate to enterprise buyers," he says.But Fortanix is in a solid position to educate the market about confidential computing, which is still new."The maxim 'don't roll your own security' applies here, " Sanders says. "Banks and hospitals are not going to write their own [confidential computing] stacks, and a validated third-party option will help to increase the exposure and utilization of those confidential computing technologies."The Fortanix technology can be implemented on-premises or in the cloud with some form of confidential computing hardware enablement, including Intel Secure Guard Extension (SGX) and AMD's SEV-SNP. A tool called Data Security Manager manages the confidential computing deployment."We handle all of the deployment of the database at the interface for you," Searle says. "You do not need to get involved in implementation. It is an automated deployment based on the policy controls within Data Security Manager."