Application and Compute Node Policy Enforcement

1.0 Introduction

Users can control which applications are allowed to run on which nodes, primarily through the use of application and node labels in the form of Key:Value pairs. Fortanix Confidential Computing Manager (CCM) enforces this by issuing application certificates only to nodes that comply with the Application and Compute Node Policy.

2.0 Policy

When labels are added for an application, requirements are being added to the application, and these labels become the "required" labels. When the same labels are added to the compute nodes, labels that can be provided by the compute node are being specified—on which the application will run once the compute node is enrolled in Fortanix CCM. The attached labels of an application and compute node are compared when Fortanix CCM issues a certificate to an application. If all the required application labels match the provided compute node labels, then a certificate for the application on the compute node is issued. In the case of a label mismatch, no such certificate is issued. This behavior can be seen in the logs of the application.

Hence, for an application to be allowed to run on a compute node, the set of provided compute node labels must be a superset of the set of required application labels.

Currently, the policy is enforced only at the time of certificate issuance. If the policy changes after a certificate has been issued, that certificate is not revoked and remains valid until it expires.

2.1 Rules to be Satisfied

In order for Fortanix CCM to issue a certificate for an application image to run on a compute node, the following rules must be satisfied:

Basic security rules:
- The compute node has been attested to be an Nitro-capable node running Node Agent.
- An instance of the application image has been attested to be running on the compute node.
Manual approvals:
- The image has been approved by a manager.
- The requested domain for the certificate (that is, its subject common name) has been approved by a manager.
- The compute node is still active (that is, it has not been deactivated).
Label-based rules:
- For each key-value label associated with the application, the compute node must have the same key with the same value.

Application and Compute Node Policy Enforcement

1.0 Introduction

2.0 Policy

2.1 Rules to be Satisfied

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6