The Role of Confidential Computing in Protecting Cloud Applications and Sensitive Data from Breaches

According to the Confidential Computing Consortium: “Confidential computing is the protection of data in use using hardware-based Trusted Execution Environments (TEE). A Trusted Execution Environment is commonly defined as an environment that provides a level of assurance of data integrity, data confidentiality, and code integrity. A hardware-based TEE uses hardware-backed techniques to provide increased security guarantees for the execution of code and protection of data within that environment.”
Because the protected memory regions, or secure enclaves, established by a TEE provide encryption for data in use, they render private data invisible to cloud providers and host operating systems. They increase the level of security for organizations that manage regulated and sensitive data by preventing unauthorized entities any access or modification of data and applications while they are in use.

These unauthorized entities include anyone or thing with physical access to the hardware, including system administrators, the infrastructure owner, service providers, the host operating system and hypervisor, and other applications on the host. Data confidentiality ensures any unauthorized entity cannot access data while it is in use within the TEE. Data integrity prevents unauthorized entities outside the boundary of the TEE from changing data when it is being used. Code integrity refers to the fact that code in the TEE cannot be replaced or modified by unauthorized entities. Contrary to approaches that do not use a hardware-based TEE, these attributes assure organizations that information is kept confidential, and that the computations performed are correct, enabling organizations to fully trust the results of the computations.

With more attacks against storage and network devices foiled by data at rest and in transit security measures, hackers are now turning their attention to and targeting data in use. And with more data moving to the cloud, traditional network and physical perimeter security cannot fully protect organizations from such attacks. Attack patterns against cloud-based code and data in use include insider threats, firmware compromise, and hypervisor and container breakout. 

The protection of data and applications during execution is increasingly important for data stored and processed on edge, mobile, and IoT devices, where processing can occur in remote and often difficult areas to secure. Providers and manufacturers of edge devices must be able to prove that access to personal data is protected, that data cannot be seen by third parties or device vendors during processing and sharing, and that those protections meet regulatory requirements due to the often very sensitive personal data being generated or processed.

In the context of the public cloud, organizations must trust a multitude of elements that form public cloud infrastructures, including the provider’s host operating system, hypervisor, hardware, the firmware for core and peripheral devices, and the cloud provider’s orchestration system itself. While these providers aim to secure all these public cloud layers, confidential computing delivers security guarantees and significantly enhances the security of the applications and data deployed there.

A hardware-based TEE securing data and applications in use makes it significantly more difficult for an unauthorized entity – including one with physical access to the hardware, privileged access to the orchestration system, or root access to the host hypervisor or OS – to attack the protected data and application code. Confidential computing eliminates even the public cloud provider from the Trusted Computing Base (TCB) with attestation of platform hardware ensuring trust in the TEE. This allows those workloads to migrate to the public cloud which previously were restricted due to compliance requirements or security concerns.

For example, an application of confidential computing called private multi-party analytics involves multiple parties possessing private information that needs to be combined and analyzed without exposing the underlying data or machine learning models between parties. This use case can be applied to detecting or developing cures for diseases, preventing financial services fraud, or gaining previously unseen business insights. For example, multiple healthcare organizations can combine data to train a machine learning model to enable more accurate detection of cancers using radiology information. But in this use case, confidential computing ensures the private patient information remains confidential to the dataset owner.

Organizations can now be sure that sensitive information on remote systems is secured against compromise or attack, and this includes protection from insider threats from any partnering organizations. With confidential computing, organizations can also validate the integrity of the code processing that data. By integrating key management services, data can be decrypted in the TEE and kept secure when combined and analyzed, with the computed results being returned to each party in an encrypted format. Throughout the entire process the information remains secure, ensuring its privacy while it is transferred, during computation, and when stored. Confidential computing thereby provides the basis for complete end-to-end protection of confidential data throughout the workload lifecycle.

Confidential computing can help drive data sharing and analytics on a global basis, allowing organizations to leverage datasets previously unable to be used for collaborative exchange and analysis with other organizations. Private multi-party analytics reduces concerns and risks around security issues, loss of privacy and regulatory impacts.

Those responsible for public cloud migration and applications handling sensitive data, including those in regulated industries, should now evaluate confidential computing as a new approach to reducing the risk of a data breach.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.