Did Confidential Computing Just Solve the Data Security Puzzle?
Data has a security blind spot. Sure, you can encrypt and protect your data at rest and in transit. But when an application workload wants to use it for processing, it needs the data decrypted.
This was fine when servers were islands of private servers with rings of firewalls. But in today’s world, where data centers are interconnected, and many workloads are operating in the cloud data centers, data kept in memory for processing is exposed. And when that data is sensitive or personally identifiable information (PII), it is a significant headache.
This is one reason regulators call for data onshoring or keeping it in cloud data centers physically located within a country. They want to know where you are keeping your sensitive or PII data.
But such measures are also temporary band-aid measures. Essentially, the blind spot is still there. It is just behind geographical borders, delaying the inevitable and still vulnerable to memory dump attacks.
Creating trust by not trusting
In 2019, the tech industry had enough. It needed to find a better way to secure PII or sensitive data during execution.
So, a group of cloud providers, CPU makers and software leaders came together to create a solution that isolates data within a protected CPU while it is being processed. The idea of confidential computing was born, and the band of tech giants became the Confidential Computing Consortium, an open source project group under the Linux Foundation.
Confidential computing creates trusted execution environments (TEEs) or enclaves. These are hardware-based secure areas with a co-processor within a CPU that uses embedded encryption keys for security. A series of “attestation mechanisms” (embedded with the coprocessor) keep an eye on who accesses these keys.
“In this way, sensitive data can remain protected in memory until the application tells the TEE to decrypt it for processing,” said IBM cloud security chief technical officer Nataraj Nagaratnam for Learn Hub in an article.
So, if there is malware or the application is compromised, you will know the data is encrypted. If the attestation mechanism detects unauthorized attempts, they will terminate the session and close the door to the enclave.
“While decrypted and throughout the entire computation process, the data is invisible to the operating system (or hypervisor in a virtual machine), to other compute stack resources, and to the cloud provider and its employees,” Nagaratnam explained.
Not all data needs to be protected by confidential computing, which does require its hardware right down to specially-designed CPUs. But it does help to overcome the general reluctance to go public cloud by securing sensitive data (like Personally Identifiable Information or PII data).
Confidential computing also acknowledges that cloud computing has become more complex, and no clear boundaries exist. You may use several cloud platforms or edge computing for your workloads. This stretches the threat surface and makes your data infrastructure more diffuse. So, securing sensitive data during processing in the cloud gives confidence (no pun intended) to regulators and those who fret about using sensitive data.
Expanding use cases
Since its introduction in 2019, confidential computing development has been gathering pace. All major chip vendors, from Intel and AMD to ARM and NVIDIA, are adding key features to their hardware and software. AWS, Microsoft Azure and Google Cloud use these to create better offerings for their cloud customers.
For example, AWS added confidential computing features with its Nitro System in its virtual machine offerings. Microsoft offers Pluton, and Google has its Titan.
New specifications are also being created. Caliptra, a joint effort by Google, Nvidia, AMD, and Microsoft, wants to etch some security specifications onto silicon. It was work that followed the data exposure from the Spectre and Meltdown vulnerability of 2018.
Another significant development is the addition of blockchain to confidential computing. Blockchain proponent R3, last October, launched Conclave Cloud, which uses Intel’s Software Guard Extensions to drive confidential computing.
GSBN, a not-for-profit data exchange platform using blockchain, is also veering in the same direction. The organization, which counts the likes of COSCO Shipping, Hutchison Port, OOCL, Hapag-Lloyd and PSA as their major shareholders, is working with Decentriq, a CCC member, to marry confidential computing and blockchain immutability.
Edmund To, GSBN’s chief technology officer, noted that the combination could streamline logistics much better. He notes that such a design gives confidence to all the players involved in the shipping and logistics value chain to share data without worrying about losing sensitive data. Blockchain’s immutability ensures that the data being shared is not tampered with (or at least show when someone does). Together, they can collect and share data across terminals and ships, cutting through the red tape.
Well, where’s the adoption?
Despite all the rave reviews about confidential computing, adoption is still slow. GSBN’s To feels that it is still early days. Confidential computing began by looking to solve a data security loophole. But it will take time for the CCC to prepare and advocate different use cases.
And there are hurdles. The biggest one is economics — it is just more expensive. Confidential computing needs specialized hardware. And this will cost money. The hope is it will get less costly with further innovation and as more products enter the market. It may even become the expected standard if regulators ask for it in highly regulated industries like healthcare and banking.
Then you have performance challenges since everything is done on silicon or hardware. This means heavy workloads can be a challenge, which is why joint efforts between tech and chip giants are particularly promising.
“It is an emerging technology and definitely one to watch. But the biggest challenge is how we can put this technology in the hands of all the people,” To explained.
But time is not on our side. You can be sure that data thieves and personal credential harvesters are watching the confidential computing space with keen interest for nefarious reasons. It’s time to jump on the confidential computing bandwagon if you’ve not.
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/Andrii Yalanskyi
