Application and Compute Node Policy Enforcement

Introduction

Users can control which applications are allowed to run on which nodes, primarily through the use of application and node labels in the form of “Key:Value” pairs. This is enforced by having the Fortanix Confidential Computing Manager (CCM) only issue application certificates for nodes that satisfy the Fortanix CCM Application and Compute Node Policy.

Policy

When labels are added for an application, we are adding requirements to the application and these labels become the "required" labels. When the same labels are added to the compute nodes, we are adding labels that can be provided by the compute node on which the application will run once the compute node is enrolled in Fortanix CCM. The attached labels of an application and compute node will be compared when Fortanix CCM issues a certificate to an application and if all the required application labels match with the provided compute node labels then a certificate for the application on the compute node will be issued. In the case of a label mismatch, no such certificate will be issued. This can be seen in the logs of the application.

Hence, for an application to be allowed to run on a compute node, the set of provided compute node labels must be a superset of the set of required application labels.

Currently, the policy is enforced only when we issue certificates. So, if the policy changes after a certificate was issued, that certificate will not be revoked, it will remain valid until it expires.

Rules to be Satisfied

In order for Fortanix CCM to issue a certificate for an application image to run on a compute node, the following rules must be satisfied.

Basic security rules:
- The compute node has been attested to be an SGX-capable node running Node Agent.
- An instance of the application image has been attested to be running on the compute node.
Manual approvals:
- The image has been approved by a manager.
- The requested domain for the certificate (that is, its subject common name) has been approved by a manager.
- The compute node is still active (that is, it has not been deactivated).
Label-based rules:
- For each key-value label associated with the application, the compute node must have the same key with the same value.

Application and Compute Node Policy Enforcement

Introduction

Policy

Rules to be Satisfied

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6