Accelerate Cloud Adoption While Managing Risk
Security teams rely on Confidential Computing to shore up the known vulnerability of unencrypted data in use for existing workloads.
Many regulated industries, such as financial services, government and healthcare, also include a Confidential Computing strategy as part of their digital transformation roadmap as it allows them to move sensitive workloads to the cloud while meeting regulatory compliance standards.
A SHIELD FOR DATA IN USE
How Confidential Computing Works
Security is only as strong as the layers below it since a breach can come from any layer of the compute stack. Therefore, Confidential Computing takes place within secure hardware environments, also known as trusted execution environments (TEEs). These TEEs are widely available within the CPUs used in today’s modern data centers, including Microsoft Azure, GoogleCloud and AWS.
Examples of hardware-based TEEs include IntelⓇ SGX secure enclaves and AMDⓇ SEV technologies. These chip-based capabilities essentially become “mini vaults” that can house up to 1 TB of memory to protect both your applications and data in use. They act as a shield between your assets and your cloud provider, malicious parties or compromised workloads.
Trusted Execution Environments:
can be set up within chips that have specific capabilities
protect data in use, a known security vulnerability
employ memory page encryption in RAM
Confidential Computing, or encrypting data in use within a hardware environment, completes the data security triangle since data at rest (in storage) and in transit (across networks) are routinely encrypted.
Simply put, Confidential Computing is today’s gold standard for cloud security. It should be implemented for current workloads to shore up known vulnerabilities to protect your customers and your reputation.
BEYOND CONFIDENTIAL COMPUTING
Trust, but Verify, with Attestation
The definition of Confidential Computing, per the Confidential Computing Consortium, is simply “The protection of data in use by performing computation in a hardware-based Trusted Execution Environment.”
However, paying attention to your attestation process is key to achieving the highest level of security for your operations.
Attestation is the process that ensures the TEE instance has been both set up correctly and that it was set up by a trusted party. Without this step, there is a possible risk that the TEE could be compromised from the beginning.
During the attestation process, the CPU chip that created the TEE produces a cryptographic measurement of the instance. The measurement is then sent to an attestation service.
Similar to a pilot running through a safety checklist before every takeoff, the attestation service compares the cryptographic measurement against a set of expected values before releasing workloads to the TEE for processing. If the validation fails, workloads remain safely in place.
Best practice is for the attestation service to come from a neutral third-party
When designing a Confidential Computing strategy, security teams need to be mindful as to which party performs the attestation. The most secure option is for a cloud-agnostic solution to verify and provide an attestation for assets managed by other providers. The reason for this approach is that verifying assets through a neutral third-party offers enterprises a more objective approach to measuring risk than relying on a cloud service provider to testify to the security of their own systems.
Using a neutral, third-party attestation service assures the highest level of protection for data and applications and provides the highest level of assurance to satisfy regulators.
Confidential Computing Use Cases
According to a research study conducted by the Everest Group, Confidential Computing is the “Next Frontier in Data Security,” with over 75% of demand for Confidential Computing services driven by regulated industries like banking, finance, insurance, healthcare, life sciences, public sector and defense.
It is seen as a holistic data security model that mitigates risk across the data lifecycle and therefore will become a standard for end-to-end security in the next 3-5 years.
The Everest Group recommends any organization handling sensitive data needs to mitigate threats that target the confidentiality and integrity of either the application or the data in system memory and should consider employing Confidential Computing technology.
Personally Identifiable Information (PII)
High security government data and projects
Move sensitive workloads to the cloud
Cloud computing is the platform for innovation and organizations have long relied on it for scale, cost savings and speed to market.
Confidential Computing creates a secure platform for organizations to move more sensitive workloads to the cloud, and even to combine and analyze massive data sets with partners or competitors for new business use cases. With the assurance that neither party will be able to see or access the data once encrypted, Cloud-powered AI and machine learning can be applied to solve problems and bring new ideas to market.
Use Cases for Regulated Industries
Combine data sets between financial institutions to:
- Collaborate on anti-money laundering programs
- Analyze loan applications and grant approvals
- Track credit histories and generate credit scores
Work across government agencies for:
- Better intelligence analysis to prevent crime
- Insights to improve public health policies
- Monitoring and using digital currencies
Collaborate between competitors, providers and hospitals to:
- Combine vaccine trial data to further research
- Detect and prevent insurance fraud
- Run machine learning processes on sensitive information without
compromising patient data