HOME

TheInfoList



Click Here for Items Related To - data in use
OR:
data in use on:   [Wikipedia]   [Google]   [Amazon]

Data in use is an
information technology Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data processing, data and information processing, and storage. Inf ...
term referring to active
data Data ( , ) are a collection of discrete or continuous values that convey information, describing the quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted for ...
which is stored in a non-persistent digital state or
volatile memory Volatile memory, in contrast to non-volatile memory, is computer memory that requires power to maintain the stored information; it retains its contents while powered on but when the power is interrupted, the stored data is quickly lost. Volatile ...
, typically in computer
random-access memory Random-access memory (RAM; ) is a form of Computer memory, electronic computer memory that can be read and changed in any order, typically used to store working Data (computing), data and machine code. A random-access memory device allows ...
(RAM),
CPU cache A CPU cache is a hardware cache used by the central processing unit (CPU) of a computer to reduce the average cost (time or energy) to access data from the main memory. A cache is a smaller, faster memory, located closer to a processor core, whi ...
s, or CPU registers. Scranton, PA data scientist Daniel Allen in 1996 proposed ''data in use'' as a complement to the terms '' data in transit'' and ''
data at rest Data at rest in information technology means data that is housed physically on computer data storage in any digital form (e.g. cloud storage, file hosting services, databases, data warehouses, spreadsheets, archives, tapes, off-site or cloud backu ...
'', which together define the three states of
digital data Digital data, in information theory and information systems, is information represented as a string of Discrete mathematics, discrete symbols, each of which can take on one of only a finite number of values from some alphabet (formal languages ...
.


Alternative definitions

Data in use refers to data in computer memory. Some cloud
software as a service Software as a service (SaaS ) is a cloud computing service model where the provider offers use of application software to a client and manages all needed physical and software resources. SaaS is usually accessed via a web application. Unlike o ...
(SaaS) providers refer to data in use as any data currently being processed by applications, as the CPU and memory are utilized.


Concerns

Because of its nature, data in use is of increasing concern to businesses, government agencies and other institutions. Data in use, or memory, can contain sensitive data including digital certificates, encryption keys, intellectual property (software algorithms, design data), and
personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely used in the United States, but the phrase it abbreviates has fou ...
. Compromising data in use enables access to encrypted data at rest and data in motion. For example, someone with access to random access memory can parse that memory to locate the encryption key for data at rest. Once they have obtained that encryption key, they can decrypt encrypted data at rest. Threats to data in use can come in the form of
cold boot attack In computer security, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) ...
s, malicious hardware devices,
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exist ...
s and bootkits.


Full memory encryption

Encryption, which prevents data visibility in the event of its unauthorized access or theft, is commonly used to protect Data in Motion and Data at Rest and increasingly recognized as an optimal method for protecting Data in Use. There have been multiple projects to encrypt memory. Microsoft
Xbox Xbox is a video gaming brand that consists of four main home video game console lines, as well as application software, applications (games), the streaming media, streaming service Xbox Cloud Gaming, and online services such as the Xbox networ ...
systems are designed to provide memory encryption and the company PrivateCore presently has a commercial software product vCage to provide attestation along with full memory encryption for x86 servers.GCN, John Moore, March 12, 2014:"How to lock down data in use -- and in the cloud"
/ref> Several papers have been published highlighting the availability of security-enhanced x86 and ARM commodity processors.M. Henson and S. Taylo
"Beyond full disk encryption:protection on security-enhanced commodity processors"
"Proceedings of the 11th international conference on applied cryptography and network security", 2013 In that work, an
ARM Cortex-A8 The ARM Cortex-A8 is a 32-bit processor core licensed by ARM Holdings implementing the ARM architecture, ARMv7-A architecture. Compared to the ARM11, the Cortex-A8 is a dual-issue superscalar processor, superscalar design, achieving roughly twic ...
processor is used as the substrate on which a full memory encryption solution is built. Process segments (for example, stack, code or heap) can be encrypted individually or in composition. This work marks the first full memory encryption implementation on a mobile general-purpose commodity processor. The system provides both confidentiality and integrity protections of code and data which are encrypted everywhere outside the CPU boundary. For x86 systems, AMD has a Secure Memory Encryption (SME) feature introduced in 2017 with
Epyc Epyc (stylized as EPYC) is a brand of multi-core x86-64 microprocessors designed and sold by AMD, based on the company's Zen microarchitecture. Introduced in June 2017, they are specifically targeted for the server and embedded system market ...
. Intel has promised to deliver its Total Memory Encryption (TME) feature in an upcoming CPU.


CPU-based key storage

Operating system kernel patches such as TRESOR and Loop-Amnesia modify the operating system so that CPU registers can be used to store encryption keys and avoid holding encryption keys in RAM. While this approach is not general purpose and does not protect all data in use, it does protect against cold boot attacks. Encryption keys are held inside the CPU rather than in RAM so that data at rest encryption keys are protected against attacks that might compromise encryption keys in memory.


Enclaves

Enclaves enable an “enclave” to be secured with encryption in RAM so that enclave data is encrypted while in RAM but available as clear text inside the CPU and CPU cache. Intel Corporation has introduced the concept of “enclaves” as part of its Software Guard Extensions. Intel revealed an architecture combining software and CPU hardware in technical papers published in 2013.


Cryptographic protocols

Several cryptographic tools, including secure multi-party computation and
homomorphic encryption Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output th ...
, allow for the private computation of data on untrusted systems. Data in use could be operated upon while encrypted and never exposed to the system doing the processing.


See also

* Also see Alternative Definition section of Data At Rest *
Homomorphic encryption Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output th ...
is a form of encryption that allows computation on ciphertexts. *
Zero-knowledge proof In cryptography, a zero-knowledge proof (also known as a ZK proof or ZKP) is a protocol in which one party (the prover) can convince another party (the verifier) that some given statement is true, without conveying to the verifier any information ...
is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. * Secure multi-party computation is a method for parties to jointly compute a function over their inputs while keeping those inputs private. *
Non-interactive zero-knowledge proof Across the many fields concerned with interactivity, including information science, computer science, human-computer interaction, communication, and industrial design, there is little agreement over the meaning of the term "interactivity", but ...
(NIZKs) are zero-knowledge proofs that require no interaction between the prover and verifier. * Format-preserving encryption (FPE), refers to encrypting in such a way that the output (the ciphertext) is in the same format as the input (the plaintext) * Blinding is a cryptography technique by which an agent can provide a service to a client in an encoded form without knowing either the real input or the real output. * Example privacy-enhancing technologies


References

{{Reflist Computer data Cryptography