The Role of Confidential Computing in Protecting Cloud Applications and Sensitive Data from Breaches

According to the Confidential Computing Consortium: “Confidential computing is the protection of data in use using hardware-based Trusted Execution Environments (TEE). A Trusted Execution Environment is commonly defined as an environment that provides a level of assurance of data integrity, data confidentiality, and code integrity. A hardware-based TEE uses hardware-backed techniques to provide increased security guarantees for the execution of code and protection of data within that environment.”
Because the protected memory regions, or secure enclaves, established by a TEE provide encryption for data in use, they render private data invisible to cloud providers and host operating systems. They increase the level of security for organizations that manage regulated and sensitive data by preventing unauthorized entities any access or modification of data and applications while they are in use.

These unauthorized entities include anyone or thing with physical access to the hardware, including system administrators, the infrastructure owner, service providers, the host operating system and hypervisor, and other applications on the host. Data confidentiality ensures any unauthorized entity cannot access data while it is in use within the TEE. Data integrity prevents unauthorized entities outside the boundary of the TEE from changing data when it is being used. Code integrity refers to the fact that code in the TEE cannot be replaced or modified by unauthorized entities. Contrary to approaches that do not use a hardware-based TEE, these attributes assure organizations that information is kept confidential, and that the computations performed are correct, enabling organizations to fully trust the results of the computations.

With more attacks against storage and network devices foiled by data at rest and in transit security measures, hackers are now turning their attention to and targeting data in use. And with more data moving to the cloud, traditional network and physical perimeter security cannot fully protect organizations from such attacks. Attack patterns against cloud-based code and data in use include insider threats, firmware compromise, and hypervisor and container breakout. 

The protection of data and applications during execution is increasingly important for data stored and processed on edge, mobile, and IoT devices, where processing can occur in remote and often difficult areas to secure. Providers and manufacturers of edge devices must be able to prove that access to personal data is protected, that data cannot be seen by third parties or device vendors during processing and sharing, and that those protections meet regulatory requirements due to the often very sensitive personal data being generated or processed.

In the context of the public cloud, organizations must trust a multitude of elements that form public cloud infrastructures, including the provider’s host operating system, hypervisor, hardware, the firmware for core and peripheral devices, and the cloud provider’s orchestration system itself. While these providers aim to secure all these public cloud layers, confidential computing delivers security guarantees and significantly enhances the security of the applications and data deployed there.

A hardware-based TEE securing data and applications in use makes it significantly more difficult for an unauthorized entity – including one with physical access to the hardware, privileged access to the orchestration system, or root access to the host hypervisor or OS – to attack the protected data and application code. Confidential computing eliminates even the public cloud provider from the Trusted Computing Base (TCB) with attestation of platform hardware ensuring trust in the TEE. This allows those workloads to migrate to the public cloud which previously were restricted due to compliance requirements or security concerns.

For example, an application of confidential computing called private multi-party analytics involves multiple parties possessing private information that needs to be combined and analyzed without exposing the underlying data or machine learning models between parties. This use case can be applied to detecting or developing cures for diseases, preventing financial services fraud, or gaining previously unseen business insights. For example, multiple healthcare organizations can combine data to train a machine learning model to enable more accurate detection of cancers using radiology information. But in this use case, confidential computing ensures the private patient information remains confidential to the dataset owner.

Organizations can now be sure that sensitive information on remote systems is secured against compromise or attack, and this includes protection from insider threats from any partnering organizations. With confidential computing, organizations can also validate the integrity of the code processing that data. By integrating key management services, data can be decrypted in the TEE and kept secure when combined and analyzed, with the computed results being returned to each party in an encrypted format. Throughout the entire process the information remains secure, ensuring its privacy while it is transferred, during computation, and when stored. Confidential computing thereby provides the basis for complete end-to-end protection of confidential data throughout the workload lifecycle.

Confidential computing can help drive data sharing and analytics on a global basis, allowing organizations to leverage datasets previously unable to be used for collaborative exchange and analysis with other organizations. Private multi-party analytics reduces concerns and risks around security issues, loss of privacy and regulatory impacts.

Those responsible for public cloud migration and applications handling sensitive data, including those in regulated industries, should now evaluate confidential computing as a new approach to reducing the risk of a data breach.

Featured

  • Until We Meet Again

    A short three years ago we were all pondering whether to attend any tradeshows all thanks to COVID-19. Sorry to bring that nightmare up again, but it seems that little pandemic is in the rear-view mirror, and it’s time to meet again. Read Now

    • ISC West
  • Cyber Hygiene: What it Looks Like for IoT Devices

    Cyber Hygiene: What it Looks Like for IoT Devices

    For our second pillar about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices. Read Now

  • ISC West Announces 2023 Keynote Series Speaker Lineup

    The International Security Conference (ISC), in collaboration with premier sponsor Security Industry Association (SIA), announced five of this year’s ISC West Keynote Series speakers. ISC West will kick off its annual conference on March 28 (SIA Education@ISC: March 28-30 | Exhibit Hall: March 29-31) at the Venetian Expo in Las Vegas, Nevada. Read Now

    • ISC West
  • Accelerating Security Modernization

    In recent years, the term “digital transformation” has been one of the most frequently used buzzwords across industries. On its most basic level, it refers to the reimagining of how an organization leverages its technology systems to improve business processes. Read Now

Featured Cybersecurity

New Products

  • ComNet NW1 Gen 4

    ComNet NW1 Gen 4

    ComNet, Communication Networks, is announcing the introduction of its Generation 4 line of NetWave® wireless products that offer greater performance and increased stability in applications where throughput and increased bandwidth is increasingly important. 3

  • Dinkle DKU Barrier Terminal Blocks

    Dinkle DKU Barrier Terminal Blocks

    New DKU screw type terminal blocks use a spring-guided system where the screws are integrated and captive within the terminal enclosure. These screws can be backed out so that ring- or U-shaped cable lugs can be inserted, without the possibility of losing the screw. 3

  • LiftMaster Garage Door Opener

    LiftMaster Garage Door Opener

    LiftMaster Transforms the Garage Door Opener Into a Sleek Smart Home Device That Does More Than Open and Close the Garage Door 3