Confidential Computing: Moving The Needle On Cloud Security
Cloud computing is omnipresent. Literally, every organization has adopted cloud in one form or the other. A significant part of enterprise workloads is already on the cloud. However, there is another side to the cloud story. While organizations are clearly aware of the broader benefits of the cloud, security puts a spoke in the wheel. Many organizations still shy away from moving more core functions and sensitive data to the cloud purely for security and privacy concerns.
Lack of skilled resources internally, legacy approach, misconfigurations of the cloud platform –all of this contribute to the problem. A recent survey indicates that over 75 percent of enterprise security experts are overly concerned about public cloud security.
Enterprises are increasing their cloud spend, moving more critical applications, and optimizing existing investments on the cloud as the global pandemic compels them to cope with the new market realities. It’s all the more critical for leading cloud providers to effectively fill the existing gap in cloud security to help enterprises make this transition smoother and to unlock the next phase of cloud adoption.
Fortunately, the answer might be around the corner—in the form of a new hardware-based security approach dubbed ‘confidential computing’.
What is confidential computing?
Data security traditionally has been built around three fundamental approaches to prevent unauthorized access –protecting data at rest, in transit, and in use. Security strategies so far have been predominantly centered around the first two states of data. As a result, at-rest and in-transition encryption standards are already well evolved. Securing ‘data in use’ however has been a challenge. Encryption as a method is largely inadequate in this area as applications need access to data in unencrypted form.
A number of data-intensive and regulated industries (eg: finserv, insurance, healthcare, media & entertainment, etc.) have significantly higher data protection requirements in terms of safeguarding customers’ PII or intellectual property assets of the organization. In many of these use cases, there is an increasing need to secure ‘data in use’. For example, healthcare dashboards accessing sensitive patient data to arrive at treatment decisions. Encryption is not a possible option in this case and access to sensitive data is inevitable.
What is the advantage of Confidential Computing?
Confidential computing promises to change the whole equation by encrypting the ‘data in use’. Through this emerging approach, data can be encrypted while it’s running in memory without exposing it to the rest of the system and even to privileged users. Data is further decrypted within the CPU using embedded hardware keys, which the cloud provider has no control over. Confidential computing is typically built on hardware-based Trusted Execution Environments (TEE), also known as Enclaves.
AWS’ Nitro Enclave, for example, provides CPU and memory isolation for EC2 instances by offering an isolated and highly constrained environment to host security-critical applications. Consider it as virtual machines that have no persistent storage, operator, or administrator access. Nitro Enclave uses Cryptographic attestation techniques, which allows customers to verify that only authorized code is running in their enclave. AWS’s aim is to enable customers to easily move sensitive workloads to the cloud while protecting their resources more efficiently.
The Future of Confidential Computing
Confidential Computing comes with great promises and is touted to be a game-changer for the cloud computing industry. Its benefits go beyond the realms of security. In the future, confidential computing has the power to promote collaboration among competitors (for example, companies working together on genomic research on cloud platforms) as it assures complete protection and privacy of sensitive data.
Confidential computing also has the potential to enable more innovative machine learning, microservices, and Blockchain use cases among enterprises. It’s considered to be the only standard that can potentially secure Blockchain transactions in which sensitive data is transmitted across the decentralized network. It can also address the security concerns around moving mission-critical workloads to a container or Kubernetes environment.