Trusted execution environments protect proprietary data from the very cloud providers that host it. Learn how confidential computing works today.
Today’s technology industry needs to stay one step ahead of attackers. Confidential computing is part of that conversation, but as with Edge, there’s some confusion as to what it actually means.
AWS defines it as specific hardware and firmware that separates an inside, often customer data, from an outside, often a cloud provider. It includes elements of Tiered Zero Trust that allow organizations working with a cloud provider to further segment data based on security requirements. It can secure the data in use and strike a balance between collaboration and data ownership.
SEE: Hiring Kit: Cloud Engineer (TechRepublic Premium)
Since we’re talking about current-generation technology, let’s use this definition: Confidential Computing is an initiative to create more secure hardware-based execution environments. It is widely used to backup data used in multiple environments.
Protecting data at rest or in transit is generally considered to be easier than protecting data in use. According to IEEE, the problem is the paradox. Data must be disclosed in order to be processed. So how do you prevent malware from creeping in during the “in use” phase? The answer is a trusted execution environment that offers real-time encryption on specific hardware and is only accessible through approved code.
Jump to:
History of Confidential Computing
In 2020, the Confidential Computing Consortium began work on its Technical Advisory Council to establish standards. Companies like Meta, Google, Huawei, IBM, Microsoft and Tencent got involved.
Back then, the idea was that confidential computing, by isolating protected data, could allow different organizations to share datasets without sharing full access, or it could reduce power requirements because high-bandwidth or high-latency data like video could be stored in the TEE instead of on site.
The TEE is a secure section within a CPU separated by embedded encryption keys that only authorized application code can access. During computation and decryption, the data is invisible even to the operating system or hypervisor. In addition to protecting proprietary business logic and applications, it is also a possible solution for analytics or AI/ML algorithms.
One of the goals for cloud providers that also offer confidential computing is to be able to assure customers that they can breathe easier when the cloud provider itself sees proprietary information.
How does confidential computing work?
There are as many ways confidential computing can work as there are companies that code it, but remember the definition mentioned above. Google Cloud uses confidential virtual machines with securely encrypted virtualization extension powered by 3rd generation AMD EPYC CPUs and cloud computing cloud processes. Data remains encrypted in memory with node-specific, dedicated keys generated and managed by the processor, with security keys generated within the hardware during node creation. From there, they never leave that hardware again.
Today, IBM claims to be in the fourth generation of its Confidential Computing products, starting with IBM Cloud’s Hyper Protect Services and Data Shield in 2018. First in line for Hyper Protect Services is a FIPS 140-2 Level 4 certified cloud -Hardware security module. Both products are assessed for regulations like HIPAA, GDPR, ISO 27K and more.
IBM also offers HPC Cluster, a part of IBM Cloud in which customers’ clusters are kept confidential using Bring Your Own Encrypted Operating System and Keep Your Own Key features. IBM’s Secure Execution for Linux enables customers to host large numbers of Linux workloads within a TEE.
AWS’ Nitro system underpins their Elastic Cloud Compute services, an infrastructure-on-demand service that inherently requires some walls and doors between Amazon and the customer using the services. You create these walls and doors in a variety of ways. One of these is the Nitro system, which has a proprietary security chip that cryptographically measures and validates the system.
Intel’s Software Guard Extensions add to this company’s hardware-based security. In 2021, they focused on providing TEE services tailored to healthcare, finance and government.
Microsoft Azure also offers confidential virtual machines as well as confidential Kubernetes containers. Their TEEs form the backbone for Azure Confidential Ledger, a “tamper-proof, unstructured” pool of data verified using blockchain. Manipulations will show up dramatically on their trusted computing base, Microsoft says. A hardware root of trust provides a digital signature for each transaction within the confidential layer. Certificate-based authorizations also ensure that cloud providers cannot see the data hosted there.
What’s Next for Confidential Computing?
Confidential computing has many overlaps with other cloud services and security methods like blockchain. Is this a revolutionary initiative, or is it a hodgepodge of existing current-generation security considerations condensed into a term that’s relatively easy to fit into a budget?
While there’s nothing wrong with making it easier for managers to understand what you’re doing with the IT budget, there are also plenty of hackers — regardless of the color of their hats — who take a peek at TEEs.
The Confidential Computing Consortium is also growing. A 2021 market study by Everest Group and Consortium predicted that the confidential computing industry will grow to $54 billion by 2026.
“Although the adoption of confidential computing is still relatively young, our research shows potential for growth not only for companies adopting it, but also for the technology and service providers enabling it,” said Abhishek Mundra, practice lead at Everest Research.
TechRepublic recently named confidential computing as one of 7 trends dominating infrastructure innovation. For more information, see Intel’s new independent Trust Assurance initiative and how the latest version of Ubuntu supports confidential computing.
