- Technical contribution
- Cloud and Mobile Security
Extending the “Circle of Trust” with Confidential Computing
Confidential Computing provides a security model to address the problems of untrusted server infrastructure that have hampered transition to the cloud.
The benefits of operational efficiency and flexibility delivered by public cloud resources have encouraged organizations to migrate applications and data to computing platforms located outside the perceived security of on-premises infrastructures. Many businesses are now adopting a “cloud-first” approach that emphasizes elastic scalability and cost reduction above ownership and management, and, in some cases, security.
Placing Your Trust in Cloud Service Providers
However, deploying sensitive applications and data on computing platforms that are outside of an organization’s own managed infrastructure requires trust in the service provider’s hardware and software used to process, and ultimately protect, that data.
One response to the problem of the trustworthiness of the cloud has been the emergence of the Trusted Execution Environment (TEE), which has led to the concept of “confidential computing.” Industry leaders such as Intel, Microsoft, Google and Red Hat joined together to form the Confidential Computing Consortium (CCC) in October 2019.
This is the first industry-wide initiative to address the security of data in use, as today’s encryption security approaches mostly focus on data at rest or data in transit. The work of the CCC is especially important as companies move more workloads to multiple environments, including public cloud, hybrid, and edge environments.
One of the most important TEE technologies for addressing the problem of protecting data in use can be found in the form of secure enclaves, such as the protected memory regions established by Intel® Software Guard Extensions (Intel® SGX). Secure enclaves allow applications to execute securely and is enforced at the hardware level by the CPU itself. All data is encrypted in memory and decrypted only while being used inside the CPU – the data remains completely protected, even if the operating system, hypervisor, or root user are compromised.
Secure enclaves can offer further security benefits using a process called “attestation” to verify that the CPU is genuine, and that the deployed application is the correct one and hasn’t been altered.
Operating in secure enclaves with attestation gives users complete confidence that code is running as intended and that data is completely protected during processing. This approach enables sensitive applications, including data analytics, machine learning and artificial intelligence, to run safely in the cloud without violating privacy regulations or risking the exposure of proprietary algorithms.
Expanding the “Circle of Trust”
The number one concern cited by enterprises in their move to the cloud continues to be security. Confidential computing and protecting data in use gives sensitive applications a safe place that protects them from today’s infrastructure attacks.
Confidential computing is critical for protecting cloud data, and it is fundamentally helping establish and expand the “circle of trust” in cloud computing. It creates isolated runtime environments that allow execution of sensitive applications in a protected state, keeping cloud apps and data completely secure when in use.
A Secure Cloud FutureLeading technology providers such as Fortanix have recognized that confidential computing provides a security model ready to address the problems of untrusted hardware and software that have hampered transition to the cloud.
With a growing number of use cases, and interest and deployments surging, confidential computing environments will be relied on to protect data in growing areas such as industry 4.0, digital health, the Internet of Things (IoT), and federated machine learning systems.
As the Confidential Computing Consortium continues its work, individuals and businesses may at some point expect a confidential computing architecture as a prerequisite for the exchange and processing of private data.