NetworkTigers discusses confidential computing technology.
Confidential computing is a cloud computing technology that segregates private information during processing within a CPU (protected central processing unit). The information being processed and the procedures used to process it are invisible to the cloud provider and only accessible to the authorized programming code.
Data privacy in the cloud is crucial as more business owners rely on hybrid and public cloud services. The main goal of confidential computing is to assure business owners that their information in the cloud is confidential and safe and to encourage them to migrate their computing workloads and private data to public cloud services.
Cloud providers have provided encryption services for years to protect data moving over network connections and data in databases and storage. However, confidential computing protects data during runtime or processing thus eliminating data security vulnerability.
How confidential computing works
Sensitive information should be encrypted in memory before an application processes it. But this exposes the information to malicious exploits and memory dumps before, during, and after processing. Confidential computing tackles this issue by leveraging a hardware-based TEE (Trusted Execution Environment), which is a safe enclave in a CPU.
Embedded encryption keys are used to secure the TEE while embedded attestation techniques ensure only authorized application code access the keys. If the authorized code is altered or hacked – or unauthorized code or malware tries to access the keys, the TEE cancels the computation and denies accessing the keys.
This way, private information remains protected in memory until the application authorizes the TEE to decrypt the data for processing. During the computation process and while the information is decrypted, it’s invisible to the cloud provider and its workers, compute stack resources, and the operating system.
The Confidential Computing Consortium
The Confidential Computing Consortium (CCC) was established in 2019 and comprises hardware developers, cloud companies, and software developers including Microsoft, Swisscom, Fortanix, Oracle, Google, Intel, and IBM. Its primary goal is to create open-source tools for confidential computing and facilitate the seamless execution of computations in a Trusted Execution Environment (TEE), protected from OSes and hardware.
Red Hat Enarx and Open Enclave SDK, the consortium’s first open-source tools help developers create applications that run across TEE platforms without making any changes. It also:
- Supports community-based projects that protect virtual machines, programs, and applications while helping businesses apply any confidential security modifications.
- Creates open specifications with the latest technologies to make developing and managing confidential compute applications easy.
- Defines foundational confidential-aware frameworks and services that minimize the need for trust among company leaders.
- Defines confidential computing and speeds up adoption and acceptance among business owners.
The CCC also created the Confidential Consortium Framework, a framework used to design highly available and secure applications.
Confidential computing use cases
Confidential computing provides organizations with a greater sense of trust in the security of their sensitive information, especially when it comes to business-critical workloads. This technology can be used to:
Give clients more confidence when selecting cloud providers
Confidential computing allows organizations to pick cloud providers that offer services that meet their business and technical needs. This eliminates concerns about processing and storing sensitive assets, proprietary technology, and customer data. It also eliminates competitive concerns if the provider offers competing business services.
Protect private data even in use
Confidential computing removes the barrier to migrating sensitive application workloads or highly regulated data from an inflexible, costly on-premises IT system to a state-of-the-art and more flexible public cloud platform when used with data encryption in transit and at rest.
Collaborate with other companies to create new cloud solutions
One organization can combine its proprietary calculations with another organization’s sensitive information to develop new solutions without any of the organizations sharing intellectual property or the information it doesn’t want to reveal.
Protect information processed at the edge
Edge computing is a framework that brings company applications closer to data sources like local edge servers and IoT devices. When this distributed computing framework is utilized as a part of cloud patterns, confidential computing can be used to protect the application and data at edge nodes.
Protect intellectual property
Besides protecting data, the TEE can be used to protect analytics functions, entire applications, proprietary business logic, and machine learning algorithms.