Recently, someone asked me about the relationship between Confidential Computing and Zero Trust at the Supercomputing conference in Dallas.
In the past, the protection of enterprise assets was perimeter based. Users and data were inside and trusted, bad guys outside and not. But the world changed, and people started to work remotely, connecting from the road or at home. The cloud emerged, allowing data and workloads to leave the data center. And, the perimeter ceased to exist. This new order required a new paradigm that created the concept of Zero Trust.
Zero Trust is a security concept or an architecture where no assumptions are made about the trustworthiness of any device or connection. Everything must be verified first. Organizations are using it to guide their security decisions in order to protect their resources and data.
And yet, security is not a one-stop shop. There is no single solution to all the problems, so if your organization or leadership team is using Zero Trust as guidance, you should be combining multiple complementary technologies and solutions to achieve successful results.
When getting started, it is helpful to know that there are different interpretations of what Zero Trust means in practice and what organizations should consider. Single source of identity, user and device authentication, authorization policies and access control are all good ingredients to focus on. But even before that, the first step is to lay out, describe and understand the attack surface and related risks.
Looking at that surface, one can see that it is full of different applications and services running on-premise and in a cloud, performing operations on different data types. The surface is vast. Different tools and technologies help address related security challenges, but there are options to reduce the actual surface as well.
One of those is Confidential Computing, a technology that protects data while in use. Modern chipsets can run workloads in encrypted memory, also known as Trusted Execution Environments (TEE). Confidential Computing leverages this capability. As a result, when the workload runs in encrypted memory, the host can’t see what it is doing. The workload can thus process sensitive data without fear of being attacked by a bad actor who managed to gain elevated privileges on a host via misconfigured access, leaked credentials or a vulnerability. When an application runs inside a TEE, there are fewer things to protect it since TEE provides some of the protections naturally.
In the context of Zero Trust, Confidential Computing is one of the best tools to help options accomplish the overall security posture that an organization seeks because the attack surface is reduced when applications and their data move into encrypted memory.
To summarize
Confidential Computing is a building block to accomplish the Zero Trust strategy via attack surface reduction and protection of sensitive data while in use. Let’s view it as such.