The Role of Confidential Computing in Protecting Cloud Applications and Sensitive Data from Breaches

According to the Confidential Computing Consortium: “Confidential computing is the protection of data in use using hardware-based Trusted Execution Environments (TEE). A Trusted Execution Environment is commonly defined as an environment that provides a level of assurance of data integrity, data confidentiality, and code integrity. A hardware-based TEE uses hardware-backed techniques to provide increased security guarantees for the execution of code and protection of data within that environment.”
Because the protected memory regions, or secure enclaves, established by a TEE provide encryption for data in use, they render private data invisible to cloud providers and host operating systems. They increase the level of security for organizations that manage regulated and sensitive data by preventing unauthorized entities any access or modification of data and applications while they are in use.

These unauthorized entities include anyone or thing with physical access to the hardware, including system administrators, the infrastructure owner, service providers, the host operating system and hypervisor, and other applications on the host. Data confidentiality ensures any unauthorized entity cannot access data while it is in use within the TEE. Data integrity prevents unauthorized entities outside the boundary of the TEE from changing data when it is being used. Code integrity refers to the fact that code in the TEE cannot be replaced or modified by unauthorized entities. Contrary to approaches that do not use a hardware-based TEE, these attributes assure organizations that information is kept confidential, and that the computations performed are correct, enabling organizations to fully trust the results of the computations.

With more attacks against storage and network devices foiled by data at rest and in transit security measures, hackers are now turning their attention to and targeting data in use. And with more data moving to the cloud, traditional network and physical perimeter security cannot fully protect organizations from such attacks. Attack patterns against cloud-based code and data in use include insider threats, firmware compromise, and hypervisor and container breakout. 

The protection of data and applications during execution is increasingly important for data stored and processed on edge, mobile, and IoT devices, where processing can occur in remote and often difficult areas to secure. Providers and manufacturers of edge devices must be able to prove that access to personal data is protected, that data cannot be seen by third parties or device vendors during processing and sharing, and that those protections meet regulatory requirements due to the often very sensitive personal data being generated or processed.

In the context of the public cloud, organizations must trust a multitude of elements that form public cloud infrastructures, including the provider’s host operating system, hypervisor, hardware, the firmware for core and peripheral devices, and the cloud provider’s orchestration system itself. While these providers aim to secure all these public cloud layers, confidential computing delivers security guarantees and significantly enhances the security of the applications and data deployed there.

A hardware-based TEE securing data and applications in use makes it significantly more difficult for an unauthorized entity – including one with physical access to the hardware, privileged access to the orchestration system, or root access to the host hypervisor or OS – to attack the protected data and application code. Confidential computing eliminates even the public cloud provider from the Trusted Computing Base (TCB) with attestation of platform hardware ensuring trust in the TEE. This allows those workloads to migrate to the public cloud which previously were restricted due to compliance requirements or security concerns.

For example, an application of confidential computing called private multi-party analytics involves multiple parties possessing private information that needs to be combined and analyzed without exposing the underlying data or machine learning models between parties. This use case can be applied to detecting or developing cures for diseases, preventing financial services fraud, or gaining previously unseen business insights. For example, multiple healthcare organizations can combine data to train a machine learning model to enable more accurate detection of cancers using radiology information. But in this use case, confidential computing ensures the private patient information remains confidential to the dataset owner.

Organizations can now be sure that sensitive information on remote systems is secured against compromise or attack, and this includes protection from insider threats from any partnering organizations. With confidential computing, organizations can also validate the integrity of the code processing that data. By integrating key management services, data can be decrypted in the TEE and kept secure when combined and analyzed, with the computed results being returned to each party in an encrypted format. Throughout the entire process the information remains secure, ensuring its privacy while it is transferred, during computation, and when stored. Confidential computing thereby provides the basis for complete end-to-end protection of confidential data throughout the workload lifecycle.

Confidential computing can help drive data sharing and analytics on a global basis, allowing organizations to leverage datasets previously unable to be used for collaborative exchange and analysis with other organizations. Private multi-party analytics reduces concerns and risks around security issues, loss of privacy and regulatory impacts.

Those responsible for public cloud migration and applications handling sensitive data, including those in regulated industries, should now evaluate confidential computing as a new approach to reducing the risk of a data breach.

Featured

  • Security Today Launches 2023 Government Security Awards

    Security Today Launches 2023 Government Security Awards

    Security Today is proud to announce the launch of the 2023 Government Security Awards. The Govies honor outstanding government security products in a variety of categories. For this year’s awards program, participants can choose from 38 different categories to enter their product(s) into. Read Now

  • Back to the Basics

    Back to the Basics

    Security is a continuous evolution of practices and procedures. The developments in technology and advancements in threats make security difficult at times. Although security from one location may look different from another location, there is a common goal applied to security measures. The common goal is protection. Read Now

  • The Top Three Security Trends in 2023

    The Top Three Security Trends in 2023

    As security technology has become more widely used, the interest in new capabilities and increased security measures has increased. As we head into 2023, these three trends will shape the security landscape. Read Now

  • TSA Breaks Record Nationally and in Washington for Firearm Discoveries in 2022

    TSA Breaks Record Nationally and in Washington for Firearm Discoveries in 2022

    Transportation Security Administration (TSA) officers in Washington detected 164 firearms in travelers’ carry-on luggage in 2022, with the majority of the firearms discovered at Seattle-Tacoma International Airport’s (SEA) security checkpoints. Read Now

Featured Cybersecurity

New Products

  • Kangaroo Home Security System

    Kangaroo Home Security System

    Kangaroo is the affordable, easy-to-install home security system designed for anyone who wants an added layer of peace of mind and protection. It has several products, ranging from the fan-favorite Doorbell Camera + Chime, to the more comprehensive Front Door Security Kit with Professional Monitoring. Regardless of the level of desired security, Kangaroo’s designed to move with consumers - wherever that next chapter may be. Motion sensors, keypads and additional features can be part of the package to any Kangaroo system in place, anytime. Additionally, Kangaroo offers scalable protection plans with a variety of benefits ranging from 24/7 professional monitoring to expanded cloud storage, coverage for damage and theft. 3

  • BriefCam v6.0

    BriefCam v6.0

    BriefCam has released BriefCam v6.0, which introduces the new deployment option of a multi-site architecture. This enables businesses with multiple, distributed locations to view aggregate data from all remote sites to uncover trends across locations, optimize operations and boost real-time alerting and response – all while continuing to reap the benefits of BriefCam's powerful analytics platform for making video searchable, actionable and quantifiable. 3

  • Hanwha Techwin Wisenet XRN-6410DB4 / mXRN-3210B4

    Hanwha Techwin Wisenet XRN-6410DB4 / mXRN-3210B4

    Hanwha Techwin America, a global supplier of IP and analog video surveillance solutions, unveiled two new Wisenet X series NVRs that support the industry’s first video playback and recording of up to 8K super-high-resolution images. 3