Confidential Computing is a leading-edge security technology that encrypts sensitive data in use in a public cloud, private cloud or on-premises. It completes the data security triangle since data at rest (in storage) and in transit (across networks) is routinely encrypted.
Security teams rely on Confidential Computing to shore up the known vulnerability of unencrypted data in use for existing workloads.
They also include a Confidential Computing strategy as part of their digital transformation roadmap to be able to move more sensitive workloads to the cloud.
According to a research study conducted by the Everest Group, Confidential Computing is the “Next Frontier in Data Security.” It is seen as a holistic data security model that mitigates risk across the data lifecycle and therefore will become a standard for end-to-end security in the next 3-5 years.
The research firm also predicts the market demand for Confidential Computing could potentially double annually due to the increase in cyber risks facing organizations of all sizes, combined with the push from regulators to improve data security and privacy.
Everest Group has already seen a wide range of adoption. For example, companies such as Adidas and PayPal have adopted Confidential Computing for enhanced privacy and security. Credit Suisse, Swisscom and the University of California San Francisco (UCSF) have benefited from the ability to conduct collaborative analysis and modeling without exposing personal information. This type of collaboration with partners – or even competitors or disparate government agencies – is one of Confidential Computing’s biggest benefits. Two or more entities can safely and anonymously combine and analyze big data sets in the cloud to uncover new insights or bring new products to market – or both.
For more get our white paper.
How Confidential Computing works
Security is only as strong as the layers below it since a breach can come from any layer of the compute stack. Therefore, Confidential Computing takes place within secure hardware environments, also known as trusted execution environments (TEEs). These TEEs are widely available within the CPUs used in today’s modern data centers, including Microsoft Azure, GoogleCloud and AWS.
(Note: AWS Nitro Enclaves service does not meet the Confidential Computing Consortium definition, as it does not provide sufficient protection from administrators and operators of the system to ensure they cannot access data or applications.)
Examples of hardware-based TEEs include IntelⓇ SGX and AMDⓇ SEV technologies. These chip-based capabilities essentially become “mini vaults” that can house up to 1 TB of memory to protect both your applications and data in use. They act as a shield between your assets and your cloud provider, malicious parties or compromised workloads.
Trusted Execution Environments:
- are set up within chips that have specific capabilities
- protect data in use, a known security vulnerability
- employ memory page encryption in RAM
The benefits of attestation
The definition of Confidential Computing, per the Confidential Computing Consortium, is “The protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment.”
paying attention to your attestation process is key to achieving
the highest level of security
Attestation is the process that ensures the TEE instance has been both set up correctly and by a trusted party. Without this step, there is a risk that the TEE could be compromised from the beginning.
During the attestation process, the CPU chip that created the TEE produces a cryptographic measurement of the instance. The measurement is then sent to an attestation service.
Similar to a pilot running through a safety checklist before every takeoff, the attestation service compares the cryptographic measurement against a set of expected values before releasing workloads to the TEE for processing. If the validation fails, workloads remain safely in place.
Best practice is for the attestation service to come from a neutral third-party
When designing a Confidential Computing strategy, security teams need to be mindful as to which party performs the attestation. The most secure option is for a cloud-agnostic solution to verify and provide an attestation for assets managed by other providers. Why? Because verifying assets through a neutral third-party offers a more objective approach to measuring risk than relying on a cloud service provider to testify to the security of their own systems.
Using a neutral, third-party attestation service assures the highest level of protection and provides the highest level of assurance to satisfy regulators.
Confidential Computing use cases
Confidential Computing isn’t just for data protection. The TEE can also be used to protect proprietary business logic, analytics functions, machine learning algorithms or entire applications.
According to the Everest Group, over 75% of demand for Confidential Computing services is driven by regulated industries like banking, finance, insurance, healthcare, life sciences, public sector and defense.
Any organization that handles sensitive data such as Personally Identifiable Information (PII), financial data, or health information needs to mitigate threats that target the confidentiality and integrity of either the application or the data in system memory and should consider employing Confidential Computing technology.
Specifically, organizations use Confidential Computing to:
1. Protect from within
Security breaches often come from within – whether it’s human error or malicious intent. Confidential Computing easily enables processes to protect data and applications by running them in trusted hardware environments with user-specific access permission.
2. Collaborate with confidence
Partners, competitors and disparate government agencies can now share and collectively analyze sensitive data using the power of cloud-scale machine learning without exposing the underlying intellectual property. Collaboration at scale solves complex problems and brings new products to market.
3. Extend cloud benefits to more workloads
Confidential Computing makes it possible to move sensitive or industry-regulated workloads to the cloud for new and innovative use cases. For example, banks or insurance companies can combine data to look for patterns of fraud. Pharmaceutical companies can collaborate by anonymously sharing clinical trial data to enhance vaccine efficacy. Government agencies can work together between themselves or in collaboration with the private sector to solve a wide-range of problems, from law enforcement to enhancing citizen services.
The Confidential Computing Consortium
The Confidential Computing Consortium (CCC) brings together hardware vendors, cloud providers, and software developers to accelerate the adoption of Trusted Execution Environment (TEE) technologies and standards.
CCC is a project community at the Linux Foundation dedicated to defining and accelerating the adoption of confidential computing. It embodies open governance and open collaboration that has aided the success of similarly ambitious efforts. The effort includes commitments from numerous member organizations, such as Profian, and contributions from several open source projects including Enarx, of which Profian is the custodian.
For more get our white paper.