Safety is a key catalyst to speed up the adoption of cloud computing, but it is also a major concern when you transfer highly sensitive IP and data scenarios to the cloud. Confidential Computing allows you to isolate sensitive data as it is in the cloud. Confidential computing uses hardware-based tactics to detach data, individual functions, or the entire program from the OS. Data is in a TEE (Trusted execution environment) where it is difficult to access information or operations performed on it from outside, except with a debugger. The Trusted Execution Environment ensures that only the approved code is able to use the data. Even If the underlined code is changed or updated, the TEE refuses the operation. Moreover, many businesses are using confidential computing to secure their data. These workloads shall include:
- Securing Financial Records
- Protecting details for the patient
- Running method of machine learning on sensitive information
- Algorithms on encrypted data sets from different sources
The most sensitive computing performed today is run on Intel servers (i.e. Xeon series) with Intel SGX, which isolates complex app codebase and actual data to run in private memory regions.
What is Confidential Computing?
Confidential computing is a practice in which encrypted data stored in memory to restrict access for the security of the data in use. It is a coalition of organizations that aims to create tools to promote data security.
Confidential computing is the security of data-in-use by isolating computing to a hardware-based, Trusted execution environment (TEE). Although the data is normally encrypted during rest and transit, confidential computing protects the data as it is being processed. Confidential computing also focuses on hardware-based security and applications. Confidential computing also ensures the data are safe and secured against attacks. Threats like malicious insiders, network vulnerabilities, or other hardware or software-type infrastructure vulnerabilities that could be compromised. The TEE provides a secure space by securing a portion of the hardware processor and memory. Also, you should run software at the top of the secure area to shield parts of your code and data from displaying or changing outside of the TEE.
However, the principle of confidential computing has become more important as cloud services become more commonly used. Cloud computing companies benefit from the enhanced sense of protection that sensitive computing provides. The Confidential Computing Alliance, a community of organizations whose mission is to create cross-platform tools for confidential computing. They have been widely accepted and established. The group should also be in a position to support other organizations in the implementation of any sensitive security changes.
Confidential Computing Consortium
The Confidential Computing Consortium (CCC) is a community project hosted at Linux Foundation. CCC aims to focus on improving security for data in use. It also accelerates Confidential Computing adoption. CCC’s membership increased more than 60 percent since its formation. Major tech companies joined as member of the Confidential Computing Consortium which includes Google Cloud, Microsoft, IBM, Intel, Baidu, VMware, decentriq, Fortanix, Huawei, Kindite, Arm, Alibaba, Oasis Labs, Oracle, Red Hat, Swisscom, Tencent, and ByteDance. you can read more about CCC here.
How confidential computing works
When we place more and more of our work and data on the cloud, we need data not only to be encrypted at-rest and in-transit but to be encrypted in memory when processing. Findings on the public cloud sector may be profound. Confidential computing allows performing data encryption in memory without exposing cloud data to the entire system.
Usually, service providers encrypt data as stored or shared, but the data is no longer encrypted as used. The Essential Computing Community focuses on data protection, as it is primarily being using when data is in memory. The goal is to allow data to store in the memory while the data encrypt. This decreases exposure to any confidential data. The only time the data is unencrypted is when a machine code enables the user to access it. This also means that the data is also safe from the cloud provider. Confidential computing can also run using an execution environment that can usually refer to as TEEs or enclaves.
Uses of Confidential computing
Confidential computing may have a range of applications related to data security in secure environments.
- Safe data from a malicious attacker
- Ensure the data complies with regulations such as GDPR
- Take care of data, such as financial data, encryption keys, or any other data that needs to be protected.
- Ensure the data in use is safe when transferring workloads to different environments
- Enable developers to build applications that can be transferred through cloud platforms.
Protect data by using Confidential Computing
Confidential Computing helps protect the data when it is in use. Azure is the first cloud application to secure privacy. Secure the confidentiality of the data by adding to the safeguards already in place to encrypt the data in transit and at rest. Azure Proprietary Computing advantages are now available for a demo using Intel SGX chipsets on the latest DC-series of virtual machines in Azure. In addition, Azure also provides an open-source SDK to provide a clear experience of enclave abstraction. It will also help you develop your SGX-based applications.
Confidential computing in Cloud
Confidentiality in the cloud is very important. Intel® Software Guard Extensions provides an additional layer of hardware-based security and manageability. Major Cloud providers are in a race to build a service or tool that provides security for data in transit. Some of them are :
Google Cloud Platform
Google introduced a new service last week for its cloud computing arm, designed on a principle known as confidential computing. Also, Google has unveiled its cloud-based secure VMs called Confidential VMs (virtual machines) recently. which provides enhanced protection on top of its shielded VMs. Also, Google’s Asylo is an open-source framework that provides SDK for developing apps that run in Trusted Secure Environments.
Azure Confidential Compute
Microsoft introduced a new feature on its Azure cloud platform called Confidential Compute. Confidential Azure computing helps you to exploit confidential computing resources in a virtualized environment. You can now use tools, software, and cloud technology to set up stable hardware.
Azure is the first cloud platform to deliver sensitive computing services in a virtualized environment. Azure built virtual machines that serve as an abstraction layer between your hardware and your application. You can run workloads on a scale and with options for redundancy and availability.
Core components of Azure confidential computing
Main 4 components of Azure Confidential Computing are :
Deploy and manage compute instances that have TEE allowed
Using Azure’s latest DCsv2 virtual machines. It builds on the latest generation of Intel Xeon processors with Intel in a fully virtualized cloud-based environment.
Verify the identity of the TEEs and the code within them
Validate the identity of the code to decide whether to reveal secrets. Verification is easy and also readily accessible with certification services.
Build against a typical abstraction of enclosures
Use the benefits of enclave development and management, system primitives, runtime support, and support for the cryptographic library. The Open Enclave SDK project has a good API surface.API surface around enclave abstraction, enabling portability across enclave forms and versatility in architecture. AWS then made its first success with Nitro Enclaves in a confidential computing room, implemented at the AWS re Invent conference.
Gain experience from Microsoft Research to harden your enclave code
Explore research on emerging technologies for secure computing, hardening methods for TEE technologies, and also tips to avoid unauthorized access from beyond the TEE.
In conclusion, The Proprietary Software Group is currently funding a range of open-source projects, including Intel SGX SDK for Linux, Microsoft Free Enclave SDK, and Red Hat Enarx. Works do not have to be approving as sensitive computing by the consortium. Google’s Asylo is identical to Enarx, and both Intel SGX and Microsoft’s Virtual Protected Mode support the sensitive computing services of Microsoft Azure.
Confidential computing ensures, when data is transparent, which data is for efficient processing. The data is secure within the context of the Trusted Execution System. TEEs ensure that there is no way to access the information or operations inside from outside, except with a debugger. They also ensure that only the approved code is able to access data.