What is confidential computing?
Confidential computing is a concept in which encrypted data can be processed in memory to limit access to protect data in use. It is especially suitable for public clouds.
Confidential computing also focuses on software and hardware-based security. Confidential computing ensures data is secured and encrypted against risks such as malicious insiders, network vulnerabilities or any threat to hardware- or software-based technology that could be compromised.
The idea of confidential computing has gained in importance as public cloud services become more widely used. Organizations that use cloud computing environments benefit from the increased sense of security that confidential computing offers.
The Confidential Computing Consortium
The Confidential Computing Consortium (CCC), a group of organizations whose goal is to build cross-platform tools for confidential computing, has largely supported and defined confidential computing. The consortium also wants to make it easier to run computations in what's known as enclaves -- a trusted execution environment (TEE) -- protected from hardware, OSes and other applications.
The consortium is made up of hardware vendors, cloud providers and developers, such as Google, Microsoft, IBM, Intel, Alibaba, Arm and Red Hat. It's function is to do the following:
- Define confidential computing and accelerate acceptance and adoption in the market.
- Develop enterprise-grade building blocks (e.g., open specifications and open source licensed projects) with the latest technologies to enable easy development and management of enterprise-grade confidential compute applications.
- Define foundational services and frameworks that are confidential-aware and minimize the need for trust.
It also aims to support community-based projects that can protect applications, programs and virtual machines (VMs). The consortium should also be able to aid other organizations in applying any confidential security changes.
In addition, the Confidential Computing Consortium developed the Confidential Consortium Framework, which is a general framework used to build both secure and highly available applications.
Examples of vendors that participate in the Confidential Computing Consortium include Accenture, Arm, Google, Huawei, Intel, Meta, Microsoft and Red Hat.
How confidential computing works
Normally, service providers encrypt data when it's stored or transferred, but the data is no longer encrypted when in use. The goal is to process data in memory while that data is still encrypted. This reduces the exposure of any sensitive data. The only time data is unencrypted is when a code on a system allows a user to access it. This also means that the data is hidden from the cloud provider as well.
Confidential computing Use cases
Confidential computing can have many uses pertaining to protecting data in trusted environments. For example, confidential computing can be used to do the following:
- Protect data from malicious attackers.
- Make sure data complies with legislation, such as GDPR.
- Ensure the safety of data, such as financial data and encryption keys.
- Make sure data in use is protected when migrating workloads to different environments.
- Allow developers to create applications that can move across different cloud platforms.
Components of confidential computing
Confidential computing can include many different tools and services.
The organizations in the CCC have already developed many tools that support trusted execution environments and confidential computing. For example, Microsoft developed the Open Enclave SDK, a framework that's used to build app enclaves. Enclaves built in Azure are supported by Windows Server Hypervisor Virtualization Based Security (VBS).
Popular confidential computing tools AWS Nitro Enclaves enables cloud teams to create isolated execution environments within an EC2 instance. It uses a secure local channel for communication between an instance and the enclave.
Microsoft has a security model called Azure confidential computing, which encrypts data in transit, at rest and while in use. There are a broad range of confidential compute offerings Azure provides, including hardware, services, SDKs and deployment tools.
Google Cloud also offers a suite of tools, including Confidential VMs, Confidential GKE, Confidential Dataproc and Confidential Space.
Asylo, from Google Cloud, is another application for confidential computing. Asylo consists of an open source framework and software development kit that uses secure enclaves to process data. Asylo is provided through Google's container repository or as a Docker image that can be used on platforms that support TEEs. This makes Asylo much more flexible in terms of hardware configurations.Red Hat contributed the Enarx framework, which is like a version of Open Enclave, but for Linux and public cloud environments.