Confidential computing is a concept in which encrypted data can be processed in memory to limit access to protect data in use. It is especially suitable for public clouds.
Confidential computing also focuses on software and hardware-based security. It ensures data is secured and encrypted against risks such as malicious insiders, network vulnerabilities or any threat to hardware- or software-based technology that could be compromised.
The idea of confidential computing has gained importance as public cloud services become more widely used. Organizations that use cloud computing environments benefit from the increased sense of security that confidential computing offers.
How confidential computing works
Normally, service providers encrypt data when it’s stored or transferred, but that data is no longer encrypted when in use. The goal is to process data in memory while that data is still encrypted, which reduces the exposure of any sensitive data. The only time data is unencrypted is when a system’s code allows a user to access it. This also means that the data is hidden from the cloud provider. A major component of this functionality is a hardware-based trusted execution environment (TEE), which isolates data and the computation performed on it from the rest of the hosting system.
Data security in a TEE scenario is different from traditional data encryption methods. The latter is about protecting data both in motion and in storage, while TEEs are about protecting data while it’s being processed. Put another way, end-to-end data security — before, during and after application execution — requires both.
Benefits of confidential computing
Confidential computing offers users and providers the following benefits:
- Greater data security. Data is completely isolated while an application is working with it, even from the operating system (OS) itself.
- Application integrity. It ensures that only approved code executes in the environment; unauthorized code will not process.
- Increased confidence in cloud security. Where confidential computing is occurring, data is as safe in a public cloud as in a private one.
- Secure collaboration. Confidential computing enhances the safety of data from multiple parties in shared computing scenarios.
- Compliance support. Because its confidential computing data isolation standards are so high, confidential computing assists in meeting strict compliance requirements.
Challenges of confidential computing
Although confidential computing has many benefits, it also has the following challenges:
- Performance issues. TEEs consume a great deal of computing resources, slowing down code execution.
- Development challenges. Applications generally need to be rewritten or refactored, often substantially, to run in a TEE.
- A formidable learning curve. The expertise required to deploy a confidential computing environment is considerable
- Managing keys. The encryption keys used within TEEs must be stored and managed, a complicated process that often requires the recruitment of a third party to assist.
- Hardware support. TEEs have complex hardware requirements, not available in all cloud environments.
- TEE limits. Because they are so hardware-dependent, TEEs can suffer from memory and storage constraints as system usage increases.
- No established standards. There is no accepted set of cross-platform confidential computing standards, limiting cross-platform development options.
- Vendor lock-in. Because there are no established confidential computing standards under general adoption, each vendor has its own, meaning that undertaking confidential computing can mean a risk of vendor lock-in and difficulty in migrating to a new vendor.
Confidential computing use cases
Confidential computing has many uses pertaining to protecting data in trusted environments. For example, it can be used to do the following:
- Protect data from malicious attackers.
- Make sure data complies with legislation, such as the General Data Protection Regulation, or GDPR.
- Ensure the safety of data, such as financial data and encryption keys.
- Protect data in use when migrating workloads to different environments.
- Enable developers to create applications that can move across different cloud platforms.;
Confidential computing is being used in healthcare to perform data analytics on large data sets where privacy is critical. It is also used to handle patient healthcare information and process electronic health records.
In the financial industry, confidential computing is being used to process bank transactions, credit histories and other private data, as well as to run risk analysis and fraud detection models based on real-world data.
The Confidential Computing Consortium
The Confidential Computing Consortium (CCC), a group of organizations whose goal is to build cross-platform tools for confidential computing, has largely supported and defined confidential computing. Created in 2019 under the Linux Foundation, the consortium wants to make it easier to run computations in what’s known as enclaves — a TEE that is protected from hardware, OSes and other applications.
The consortium is made up of hardware vendors, cloud providers and developers. Its function is to do the following:
- Define confidential computing and accelerate acceptance and adoption in the market.
- Develop enterprise-grade building blocks, such as open specifications and open source licensed projects using the latest technologies to enable easy development and management of enterprise-grade confidential compute applications.
- Define foundational services and frameworks that are confidential-aware and minimize the need for trust.
It also aims to support community-based projects that can protect applications, programs and virtual machines (VMs)and to aid other organizations in applying confidential security changes. In addition, the CCC developed the Confidential Consortium Framework, an open source framework for building secure and highly available applications.
Accenture, Alibaba, Arm, Google, Huawei, IBM, Intel, Meta, Microsoft and Red Hat are examples of vendors that participate in the CCC.
Confidential computing tools and providers
Confidential computing can include many different tools and services. The organizations in the CCC have already developed many tools that support trusted execution environments and confidential computing. The following is a sampling of these open source tools:
- Amazon Web Services (AWS) Nitro Enclaves. These services enable cloud teams to create isolated execution environments within an Amazon Elastic Compute Cloud instance. They use a secure local channel for communication between an instance and the enclave.
- Google Asylo. Developed by Google Cloud, it consists of an open source framework and software development kit (SDK) that uses secure enclaves to process data. Asylo is provided through Google’s container repository or as a Docker image that can be used on platforms that support TEEs. This makes Asylo more flexible in terms of hardware configurations. The Google Cloud platform also offers a suite of tools, including Confidential VMs, Confidential GKE, Confidential Dataproc and Confidential Space.
- Microsoft Open Enclave SDK. Microsoft developed this framework for building app enclaves in Azure that are supported by Windows Server Hypervisor Virtualization-Based Security. Microsoft’s Azure Confidential Computing framework uses these enclaves to encrypt data in transit, at rest and while in use. Azure provides a broad range of confidential compute offerings, including hardware, services, SDKs and deployment tools.
- Red Hat Enarx. Red Hat contributed the Enarx framework, which is like a version of Microsoft’s Open Enclave, but for Linux and public cloud environments.
The future of confidential computing
Despite its many challenges, confidential computing is expected to expand beyond its already considerable presence and provide opportunities for unification into a more cohesive industry mainstay.
The following are some potential developments:
- Technology will become an industry default. All the major cloud providers — AWS, Google and Microsoft — offer confidential computing, and all are rapidly expanding.
- Standards will emerge. The lack of standards is a major issue for confidential computing, and the platform vendors are highly motivated to move toward increased interoperability. These changes won’t be rapid, but they will be significant and persistent.
- Organizations will collaborate more closely. Confidential computing environments will make collaborative processes between organizations more practical and convenient.
- Trust models will rapidly improve. Confidential computing platforms will move toward deeper integration with existing regulatory frameworks.
- Integration of AI and machine learning. Data privacy in the context of ML supporting AI applications is a growing concern. Confidential computing environments enable ML models to be trained without the risk of exposing raw data.
- Reduced complexity and cost. As the major cloud vendors continue to invest in the confidential computing paradigm, their platform support and SDKs will rapidly improve, becoming more affordable, more efficient and less expensive.
Moving workloads and applications to the cloud can be daunting. Learn what migration security challenges exist and what best practices organizations can use to mitigate these risks.