Confidential Computing is a new hardware-based security approach. This emerging approach enables data to be encrypted while it’s running in memory without exposing it to the rest of the system and even to privileged users.
Cloud computing is omnipresent. Every organization has adopted the cloud in one form or the other. A significant part of enterprise workloads is already on the cloud. However, there is another side to the cloud story. While organizations are aware of the broader benefits of the cloud, security puts a spoke in the wheel. Many organizations still shy away from moving more core functions and sensitive data to the cloud purely for security and privacy concerns.
Lack of skilled resources internally, legacy approach, and misconfigurations of the cloud platform contribute to the problem. A recent survey indicates that over 75 per cent of enterprise security experts are overly concerned about public cloud security.
Enterprises are increasing their cloud spend, moving more critical applications and optimizing existing investments in the cloud as the global pandemic compels them to cope with the new market realities. It’s essential for leading cloud providers to effectively fill the gap in cloud security to help enterprises make this transition smoother and unlock the next phase of cloud adoption.
Fortunately, the answer might be around the corner—in the form of a new hardware-based security approach dubbed ‘confidential computing’.
What is Confidential Computing?
Data security traditionally has been built around three fundamental approaches to prevent unauthorized access –protecting data at rest, in transit and use. Security strategies so far have been predominantly centred around the first two data states. As a result, at-rest and in-transition encryption standards are already well-evolved. Securing ‘data in use’, however, has been a challenge. Encryption as a method is mainly inadequate in this area as applications need access to data in unencrypted form.
Several data-intensive and regulated industries (e.g., Fiserv, insurance, healthcare, media & entertainment etc.) have significantly higher data protection requirements for safeguarding the organization’s customers’ PII or intellectual property assets. In many cases, there is an increasing need to secure ‘data in use. For example, healthcare dashboards access sensitive patient data to arrive at treatment decisions. Encryption is not possible in this case, and access to sensitive data is inevitable.
What is the advantage of Confidential Computing?
Confidential Computing promises to change the whole equation by encrypting the ‘data in use’. This emerging approach enables data to be encrypted while it’s running in memory without exposing it to the rest of the system and even to privileged users. Data is further decrypted within the CPU using embedded hardware keys, which the cloud provider has no control over. Confidential Computing is typically built on hardware-based Trusted Execution Environments (TEE) or Enclaves.
AWS’ Nitro Enclave, for example, provides CPU and memory isolation for EC2 instances by offering an isolated and highly constrained environment to host security-critical applications. Consider its virtual machines with no persistent storage, operator or administrator access. Nitro Enclave uses Cryptographic attestation techniques, which allow customers to verify that only authorized code is running in their enclave. AWS aims to enable customers to quickly move sensitive workloads to the cloud while protecting their resources more efficiently.
The Future of Confidential Computing
Confidential Computing comes with great promises and is touted to be a game changer for the Cloud Computing industry. Its benefits go beyond the realms of security. In future, Confidential Computing has the power to promote collaboration among competitors (for example, companies working together on genomic research on cloud platforms) as it assures complete protection and privacy of sensitive data.
Confidential Computing also has the potential to enable more innovative machine learning, microservices and Blockchain use cases among enterprises. It’s considered the only standard to secure Blockchain transactions in which sensitive data is transmitted across the decentralized network. It can also address the security concerns around moving mission-critical workloads to a container or Kubernetes environment.
That said, the technology is still at a nascent stage. Gartner anticipates a five- to 10-year wait before confidential Computing is used regularly. But once it’s there, it has the potential to redefine cloud security truly.