Closing the Encryption Gap: Protecting Data While It’s Being Used

Closing the Encryption Gap: Protecting Data While It’s Being Used

Most organizations encrypt data at rest and in transit – but leave it exposed during use. Learn why protecting “data in use” is the next cybersecurity frontier and how BrunnrDB’s encrypted runtime secures sensitive data during active processing.

The Missing Layer of Encryption

Organizations have become experts at protecting data when it’s stored (“at rest”) and when it’s transmitted (“in transit”). Yet the moment that data is actively processed- “data in use” – remains one of the most overlooked and vulnerable phases in the entire security lifecycle.

Data in use refers to information currently being processed in a system’s memory, where it must be decrypted to perform operations. At this point, data is often momentarily exposed in plaintext – visible to privileged users, malware, or even hypervisor-level attackers. As more workloads migrate to shared cloud or virtualized environments, that exposure window becomes a growing target.

Why It Matters

Traditional encryption methods protect storage and communication channels but require temporary decryption before computation. During that brief interval, personally identifiable information (PII), intellectual property, or transaction data exists unencrypted in memory – an opportunity for attackers to inspect or tamper with sensitive values.

In regulated sectors such as finance, healthcare, and government, these risks compound due to insider threats and shared-cloud workloads. The latest version of the NIST Cybersecurity Framework (CSF 2.0) even adds “Protect Data in Use” as a specific control – an acknowledgment that the problem is now mainstream.

The implication is clear: data-in-use protection is no longer a luxury; it’s a necessity.

How Modern Technologies Address the Challenge

1. Confidential Computing (Hardware-Based Enclaves)

The industry’s most recognized approach to data-in-use protection is Confidential Computing, which relies on hardware-based Trusted Execution Environments (TEEs) built into CPUs. These enclaves isolate computations in secure regions of the processor that even the operating system, hypervisor, or cloud provider can’t access.
Cloud platforms including Azure, Google Cloud, and AWS now offer confidential virtual machines and containers that allow organizations to process data in untrusted environments with confidence.

2. Privacy-Enhancing Computation Techniques

Other emerging methods, such as Fully Homomorphic Encryption (FHE) and Secure Multi-Party Computation (MPC), enable computations on encrypted data without decryption. While powerful, these approaches are often too resource-intensive for production systems today.

3. BrunnrDB: A Software-Based Encrypted Runtime

Where hardware enclaves and advanced cryptography may fall short in flexibility or performance, BrunnrDB introduces a practical software-driven solution.
Instead of depending on vendor-specific CPUs, BrunnrDB executes all database operations inside a cryptographically enforced runtime that functions like a software enclave. The database is divided into independently encrypted “chunks,” each verified through a circular signing scheme that cryptographically links every chunk to its predecessor and successor.

During query execution, data is decrypted only within this secure runtime. Plaintext is never stored or aggregated – it only exists transiently in system memory – eliminating opportunities for inspection or leakage by privileged processes.

BrunnrDB’s unique software architecture is compatible with standard server environments and WebAssembly runtimes, allowing secure database operations even on commodity infrastructure.

Real-World Applications

• Cloud Services: Confidential instances on Azure, AWS, and Google Cloud can now host workloads that use data-in-use protection for highly sensitive analytics or customer data.
• Financial & Healthcare Systems: Banks and healthcare providers can process regulated transactions or patient records without exposing data to administrators or cloud operators.
• AI & Machine Learning: Encrypted enclaves allow proprietary models to be trained or queried securely, reducing the risk of data leakage or model inversion attacks.
• Edge Computing & IoT: Lightweight, software-based enclaves protect runtime secrets and firmware keys in constrained devices that can’t rely on specialized hardware.

Challenges and the Road Ahead

Despite rapid advances, organizations still face hurdles to broad adoption of data-in-use protection:

• Performance tuning: Balancing security isolation with low-latency operations
• Trust in attestation services: Ensuring that remote verification of enclaves or runtimes is secure and vendor-neutral
• Standardization: Achieving compatibility across different hardware, hypervisors, and runtimes
• Integration: Embedding data-in-use protection seamlessly into modern DevSecOps pipelines

Still, the momentum is unmistakable. As frameworks like NIST CSF 2.0 and zero-trust architectures evolve, protecting data during processing will soon be a baseline requirement, not a differentiator.

Key Takeaway: Closing the Gap

Data breaches rarely result from one weak link – they result from one unguarded phase. Encryption at rest and in transit addresses two-thirds of the problem; the last third – data in use – demands equal attention.

BrunnrDB closes this final gap through a software-enforced, enclave-like runtime that secures every operation inside an encrypted boundary. Data remains protected from storage to computation, delivering end-to-end confidentiality without hardware dependence or major application changes.

Ready to explore how BrunnrDB secures data in use?