What is Confidential Computing?
Confidential computing is an approach which takes advantage of secure enclave technology. This in turn enables the creation of a trusted execution environment (TEE) based on security features provided by the CPU Vendors.
TEE allows for the encryption and decryption of data within the CPU’s, memory and data isolation, and other security features that vary depending ont he CPU vendor. Secure enclave technology is the basis of Confidential Computing.
The Cloud and Beyond – Hardware Grade Privacy
Risk of data compromise is a massive and persistent threat which causes problems for the trust, integrity and viability of the cloud itself.
The issues of keeping data encrypted at rest in storage as well as securing data in transit, but there is still a catch 22. The issue is how to protect any data and code that is currently being used and in memory. This unfortunately seems to be a limitation by the current conventional computing architecture.
Software encryption efforts to protect this data failed. Computing hardware needs encryption keys to be decrypted and exposed in memory prior to use. This in turn leaves them vulnerable to hackers.
As a result, confidential computing helped to innovate a hardware grade architectural approach to security through secure enclaves (quite often used interchangeable with TEEs).
Confidential Computing’s main focus is on security data, specifically securing memory to eliminate fatal flaws in data when decrypting the data.
Eliminate Risk by Building in Data Security and Privacy by Default
When data is used and in memory it is exposed. Sensitive Personally Identifiable Information (PII), financial or health information is at risk in the cloud.
Cyber security companies have been fighting a losing battle to neutralize such cyber threats which results in breaches and exfiltration of highly sensitive and highly valued information.
It is important for workloads to remain unmodified as well as being capable of running anywhere and in any environment and in total isolation from attacks from the inside as well as outside.
Confidential computing solves these issues by isolating the data and executing it from within a secure space.
The CPU contains a section that can be used as the safe space or enclave where a Trusted Execution Environment (TEE) can be created. This enclave, or secure space is a memory and CPU only environment which is isolated and invisible to all other users and processes on that host.
Code can only reference itself when working in a secure enclave.
Secure Enclaves, A Major Advance, but Complicated to Setup & Deploy
To implement a secure enclave its both complex and expensive. Every application that will need to work in this enclave will need to be redesigned.
When creating a secure enclave both engineers and specialists need to be involved, which in turn increases the operating expenses.
Each CPU manufacturer has created their own secure enclave solution, these solutions are:
The above efforts created a large number of choices for customers that were already running infrastructure on-premises, hybrid, and multiple cloud environments. This raises overheads in regards to requiring more engineering personnel, more time to implement applications, as well as application performance and costs.
Secure Enclave – Neutralize Unauthorized Threats From the Inside & Out
Reinforcing security with out decreasing productivity is a big cyber security challenge. This was only made harder by the cloud, which exposed the problem of limited control over employees and 3rd party contractors used by the cloud providers also known as insiders.
Insiders have access to the host machines in order to carry out their work, which in turn gives them excessive exposure to the hosts data. All that it takes to compromise the security of an organization is one disgruntled employee to take advantage of this access.
With confidential computing this shuts down threats from data exposure to threats from cloud provider employees as well as external ones.
it takes advantage of hardware grade mitigations to exclusively secure data control as well as risks to that data. Protection of the data is key to the data, and there are no need to rely on weak perimeter security.
The owner of the data controls where it is stored, transmitted, or used across the IT architecture – Computing, storage, and communications.
In the below video we have a demonstration from Microsoft and how they achieve confidential computing in the Microsoft Azure Cloud.
Reach out to us on [email protected] for a consultation on how we can potentially improve your security posture.