What is Confidential Computing
Organizations that manage sensitive data such as Personally Identifiable Information (PII), financial data, or health information need to alleviate threats that target the confidentiality and integrity of either the data in system memory or the application itself. Data is most often encrypted at rest in storage and transit across the network, but not while in use in memory. In addition, the ability to protect data and code while in use is limited in conventional computing infrastructure.
Confidential computing guards data in use by performing the computation in a hardware-based Trusted Execution Environment. These isolated and secure environments prevent unauthorized access or modification of applications and data while in use, thus increasing the security level of organizations that manage sensitive and regulated data.
Source: CCC
Confidential computing is defined and managed by the Confidential Computing Consortium (CCC) under the umbrella of The Linux Foundation.
Extract from CCC website:
“CCC is a project community at the Linux Foundation dedicated to defining and accelerating the adoption of confidential computing. It will embody open governance and open collaboration that has aided the success of similarly ambitious efforts. The effort includes commitments from numerous member organizations and contributions from several open-source projects.”
How Can Confidential Computing Help?
Confidential computing protects data in use using hardware-based Trusted Execution Environments. Through Confidential Computing, we can now protect against many known threats.
The Entry of Trusted Execution Environments (TEE)
A Trusted Execution Environment (TEE) is an environment that offers a level of assurance of data integrity, data confidentiality, and code integrity. A hardware-based TEE uses the techniques to provide increased security guarantees for code execution and data protection within that environment.
In the framework of confidential computing, unauthorized entities could mean anything that interfaces like other applications on the host, the host operating system or hypervisor, system administrators, service providers, the infrastructure owner or anyone that has physical access to the hardware. Data confidentiality is that those unauthorized entities cannot view data while it is in use within the TEE, even with physical access to the system/hardware.
Data integrity — prevents unauthorized entities from altering data when any entity outside the TEE processes data.
Code integrity — the code in the TEE cannot be replaced or modified by unauthorized entities.
Together, these attributes assure that the data is kept confidential and that the computations performed are correct, allowing one to trust the results. This assurance is often missing in methods that do not use a hardware-based TEE.
The table below compares a typical TEE implementation with two other emerging solutions that protect data in use, Homomorphic Encryption (HE) and Trusted Platform Modules (TPM).
Source: CCC
Confidential Computing – Hardware-Based Approach
Security is only as durable as the layers below it. Since protection in any compute stack layer gets circumvented by a breach at an underlying layer. This fundamental issue drives the need for security solutions at the lowest layers possible, down to the silicon components of the hardware. Hardware-based TEE provides security through the lower hardware layers with a minimum of dependencies to the operating system and other areas like device drivers, platform, peripheral, and cloud service providers.
High-level Use Cases of Confidential Computing
There are multiple ways hardware-based TEEs are applied today to deliver the efficient defence-in-depth mechanisms and security boundaries sought by confidential computing. The significant uses of TEE:
- Portable hardware-TEE-based application SDKs consumed across various TEEs
- Keys, Secrets, Credentials and Tokens Storage and Processing
- Multi-Party Computing
- Blockchain
- Data integrity on Mobile and Personal Computing devices
- Processing network traffic in Edge and IoT devices
- Point of Sale devices/payment processing
- Confidential AI
Confidential Computing – Future of the Cloud
Confidential computing delivers strong security assurances in the cloud by empowering tenants to control the Trusted Computing Base for their workloads remotely. As well offers solid technical protection against any attacks from the rest, preventing potential attacks from other tenants or the cloud provider itself. In turn, this enables tenants to develop and deploy their confidential applications for their most sensitive data.
Imagine a future in which users have complete and authentic control over how cloud service uses their data. Think of a wide variety of use cases like organization’s documents to be indexed. A confidential indexing service could guarantee that no one outside their organization ever sees that data and the output sent to a confidential file-sharing service. At the same time, it makes sure the unencrypted data never appear anywhere other than the organization’s authorized devices or confidential VMs. Similarly, a confidential email system could protect privacy without compromising functionality such as searching or authoring assistance. Ultimately, confidential computing will enable many innovative cloud services while allowing users to retain complete control over their data.
Final Thoughts
The Confidential Computing landscape is evolving quickly to provide new tools to businesses and end-users that protect sensitive data and code against a class of threats occurring during data execution that were previously difficult, if not impossible, to defend.
As confidential computing evolves, more approaches may emerge, or evolutions of these approaches may occur. I’m personally super optimistic about the innovation that lies ahead in this field.
About the Author:
Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.