The benefits of operational efficiency and flexibility delivered by public cloud resources have encouraged organizations to migrate applications and data to computing platforms located outside the perceived security of on-premises infrastructures. Many businesses are now adopting a “cloud-first” approach that emphasizes elastic scalability and cost reduction above ownership and management, and, in some cases, security.
Placing Your Trust in Cloud Service Providers
However, deploying sensitive applications and data on computing platforms that are outside of an organization’s own managed infrastructure requires trust in the service provider’s hardware and software used to process, and ultimately protect, that data.
One response to the problem of the trustworthiness of the cloud has been the emergence of the Trusted Execution Environment (TEE), which has led to the concept of “confidential computing.” Industry leaders such as Intel, Microsoft, Google and Red Hat joined together to form the Confidential Computing Consortium (CCC) in October 2019.
This is the first industry-wide initiative to address the security of data in use, as today’s encryption security approaches mostly focus on data at rest or data in transit. The work of the CCC is especially important as companies move more workloads to multiple environments, including public cloud, hybrid, and edge environments.
One of the most important TEE technologies for addressing the problem of protecting data in use can be found in the form of secure enclaves, such as the protected memory regions established by Intel® Software Guard Extensions (Intel® SGX). Secure enclaves allow applications to execute securely and is enforced at the hardware level by the CPU itself. All data is encrypted in memory and decrypted only while being used inside the CPU – the data remains completely protected, even if the operating system, hypervisor, or root user are compromised.
Secure enclaves can offer further security benefits using a process called “attestation” to verify that the CPU is genuine, and that the deployed application is the correct one and hasn’t been altered.
Operating in secure enclaves with attestation gives users complete confidence that code is running as intended and that data is completely protected during processing. This approach enables sensitive applications, including data analytics, machine learning and artificial intelligence, to run safely in the cloud without violating privacy regulations or risking the exposure of proprietary algorithms.