Cloud privacy startup Edgeless Systems GmbH has announced what it claims is the industry’s first “Confidential Kubernetes” distribution, called Constellation.
Launched today as an open-source release, Constellation is based on the idea of confidential computing and allows companies to keep their Kubernetes clusters verifiably shielded from the cloud infrastructure they run on using end-to-end encryption.
Confidential computing is a fairly recent initiative in the technology world that involves keeping data encrypted as it’s being processed. It’s often described as the final piece of the puzzle in data encryption, since cloud providers already encrypt data at rest and data in transit. Until recently, it has always been necessary to decrypt that information in order to process it, and many experts saw that as a glaring hole in the data encryption landscape. Confidential computing changes that.
As for Kubernetes, it’s a key platform that supports most modern applications today. It’s used to orchestrate vast numbers of software containers that host the components of applications that can run on any computing platform.
Edgeless Systems recognizes there’s a “massive requirement” for confidential computing at enterprises today as their cloud infrastructures increasingly span multiple, diverse environments. As a result, developers are forced to manage numerous security and compliance concerns. One of the best ways to ensure security and compliance is to simply prevent people from being able to access the data that’s being processed, and that’s what Constellation offers for Kubernetes users.
Constellation shields workloads and the control plane from the underlying infrastructure, ensuring that all data is encrypted at rest, in transit and in use. What’s more, this can all be remotely verified based on hardware-rooted certificates, Edgeless Systems said.
At launch, Constellation works with both Google Cloud and Microsoft Azure, with support for Amazon Web Services and OpenStack also on the horizon. Constellation is also certified by the Cloud Native Computing Foundation, which is the neutral body that governs the development of the open-source Kubernetes project.
Edgeless Systems Chief Executive Felix Schuster said the company is building open-source infrastructure to support the confidential computing revolution. “The hardware and features required for Constellation mostly weren’t even available in the cloud 12 months ago, but we started the necessary work to ensure Kubernetes users can secure all their data — in rest, in transit and now in use,” he explained . “By making Constellation available to everyone, we can help accelerate the adoption of more secure cloud computing workloads.”
Besides data encryption, Constellation enhances Kubernetes workload security in other ways. For instance, it supports Sigstore-based attestation of Kubernetes nodes and artifacts, as well as automatic and configuration-free encryption of cloud storage and node-to-node networking.
These capabilities add up to what Edgeless Systems insists is “breakthrough security and data protection” for Kubernetes workloads, preventing anyone from accessing clusters via the underlying infrastructure. So not even a privileged cloud administrator or an advanced persistent threat within the infrastructure is able to access the data inside Constellation.
The big advantage of Constellation then is that it enables enterprises to move their most sensitive Kubernetes-based workloads to the cloud. In this way, software providers will be able to offer more secure software-as-a-service platforms to their customers, for example.
Holger Mueller of Constellation Research Inc. said enterprises have a keen interest in protecting next-generation applications that run in the cloud, and that confidential computing is a key strategy to enable this.
“The question then is how can software containers and Kubernetes, the platforms on which these apps are built, be shielded from the cloud infrastructure they are running on?” Mueller said. “Now we have the entry of Edgeless Systems, with a unique take on Kubernetes that’s fully shielded from the cloud infrastructure it runs on. Edgeless Systems comes from Germany, a nation known for its extreme sensitivity regarding data protection, so it’s no surprise to see them leading the way.”
Edgeless Systems said Constellation is available on GitHub for anyone to download, starting today.
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.