Over the last five years, Confidential Computing has evolved and matured. Today, it’s used by organizations all around the world that are concerned with protecting their systems as well as sensitive, confidential or regulated data. In fact, there’s so much confidence in the technology that some researchers expect the U.S. market to hit $5.5B this year. In this article, we’re going to review Confidential Computing technology, explore how it’s being used and examine what future innovations might look like.
Confidential Computing protects data in use during processing, with sensitive data isolated in the CPU and encrypted in memory while it’s processed. The mechanism for doing that is a secure enclave in the hardware called a Trusted Execution Environment (TEE). The goal is for sensitive data and trusted code to be loaded into the TEE, which protects it from tampering. This isolated and secure environment helps prevent unauthorized access and modification of in-memory applications and data, thereby increasing assurances that the data remains secure.
The concept of TEEs dates to the early 2000’s with a standard developed by GlobalPlatform. Today, many Confidential Computing standards are driven by the Confidential Computing Consortium (CCC), which is a Linux Foundation project. Intel is a founding member, along with Microsoft, Google, Red Hat and others.
Vice President & General Manager, Security Software & Services Division, Intel.
Use cases
Confidential Computing has a variety of use cases. First, with increasing reliance on the cloud computing, Confidential Computing allows organizations to maintain control and better secure their data in the cloud, protecting it from access by malware, other cloud tenants and even the cloud provider. The attestation function provides cryptographic evidence or measurements of the TEE’s authenticity and current state. Any stakeholder relying on the TEE to protect their workloads can receive these measurements and decide whether to trust the code running in the TEE.
Second, it allows multiple parties to collaborate and share data while maintaining privacy. Each organization can be assured that the data they contribute for collaborative analysis is kept confidential from the other parties, and that the environment in which they are sharing hasn’t been compromised. This has broad applications, but a good example is in healthcare where individuals’ health data has become dispersed across a wide and expanding array of data silos. However, providers must collaborate to deliver quality care. Confidential Computing helps protect connected clinical workloads and data in use.
Third, it helps strengthen compliance and data sovereignty programs, which are all about maintaining control of data and making sure it’s used in the jurisdiction it was meant for. Compliance often relies exclusively on processes and procedures, and sovereignty on geo-location. However, data is a liquid asset and can inadvertently “escape” into other data centers (even when the best procedures are in place). Confidential Computing provides an additional technological safeguard to a data sovereignty strategy. The data in use is protected inside a TEE, and since the workload owner holds the keys to decrypt the data, it cannot be collected, viewed or accessed without the owner’s knowledge and consent. Combined with cloud storage and network encryption, Confidential Computing empowers workload owners to control access to their data.
And finally, it gives organizations hardware-based isolation and access controls for sensitive workloads. That could be protecting proprietary business logic, analytics functions, machine learning algorithms or entire applications. Confidential Computing “armors-up” workloads, helping protect sensitive data, content and software IP from advanced attack, tampering and theft. One area of growth and innovation is around Confidential AI, which is the deployment of AI systems inside TEEs to protect sensitive data and valuable AI models while they are actively in-use. It takes modern AI techniques, including Machine Learning and Deep Learning, and overlays them with traditional Confidential Computing technology.
Advancements in Confidential Computing
Confidential Computing has come a long way. In the past two years alone, there have been several advancements. For example, trust services that deliver uniform, independent attestation of trustworthy environments. Application isolation that creates small trust boundaries for data protection. Code integrity and virtual machine (VM) isolation that enhances compliance and control for legacy applications.
However, there are still challenges to be faced. Attestation services are just rolling out to the market, and making these services more understandable, digestible and automated is underway. In addition, the entire computing industry is working toward quantum resistant computing. This transition may require that we encrypt data with a change of key length or that new algorithms need to be invented and standardized. Furthermore, while chip makers are heavily invested in eliminating side-channel and physical attacks against CPUs, this is a constant community effort.
The future of confidential computing is bright. More and more organizations are understanding the technology’s value for protecting data in use through isolation, encryption and control, and verification capabilities. This will help organizations unlock new opportunities for business collaboration and insight.
We list the best Zero Trust Network Access solutions.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
