Abstract
Various techniques exist for securing containers in a multi-tenanted environment, from encrypted virtual machines through to Intel SGX application enclaves. However, these seem best suited to stateless workloads. How can persistent data be handled in a zero-trust environment when the underlying kernel is an inherent part of the data path and implements the filesystem?
This talk describes the state of the art and discusses current implementation options. It covers work that is ongoing and looks even further out to the CHERI research project from the University of Cambridge with its promise of fine-grained data access controls through hardware capabilities.
- An overview of the techniques for securing containers in a multi-tenanted environment
- Implementation techniques that can be used to provide access to persistent data
- An introduction to relevant ongoing projects and research