Securing Data-in-Use With Confidential Computing

Confidential computing capabilities and services will be a competitive differentiation factor for cloud providers.

Most organizations should already have mastered the first two pillars of data protection – securing public domain data and data in transit – in their hybrid business environment. The third component of privacy – the protection of the data used (i.e. the protection and encryption of the data used in storage and during calculation) – was elusive, but is now addressed by a new movement commonly referred to as privacy computing.

Leading technology companies will ideally implement transformation plans that provide ubiquitous availability of sensitive data, with the security of data in use becoming the standard in the cloud within five years.

Confidential Computing - Cloud
Confidential Computing

For many organizations, the completion of the digital transformation process is driven by the ability to categorically guarantee that absolutely no one – not a system administrator, operating system developer, cloud vendor, law enforcement, attacker or malicious actor armed with powerful zero-day exploits – could ever surreptitiously access or alter the data and intellectual property they have entrusted to the cloud. As a result, sensitive computing, as a third component of data security, is increasingly becoming a requirement for any business application deployed in the cloud.

Data protection technologies, platforms, and architectures have evolved at an astonishing pace, especially when one compares the decades needed to encrypt data in password-protected ZIP files in the early 1990s with today’s hardware-based encryption with standard locking on the physical computer system, or the ongoing efforts to move from HTTP to secure HTTPS (preferably with TLS v1.3) standard.

The global pandemic has not stopped the development of public cloud computing and new data protection services. The virtualization infrastructure for sensitive computers is based on Hardware Trusted Execution (TEE) environments on servers deploying Intel Software Guard (Intel SGX) extensions. They are usually available with an overview of sensitive virtual machines that use TEE hardware on servers that support the AMD Secure Encrypted Virtualization Extension (AMD SEV). At the same time, data protection capabilities have begun to extend to cloud services, including sensitive Kubernetes nodes, SQL databases that are always encrypted, sensitive machine learning interfaces, HSM key management, and advanced IoT computing.

It can be difficult for security officers to keep abreast of important developments in equipment and applicability. For example, Intel SGX memory integrity functions are well suited for highly sensitive but low workloads, while AMD’s EVDS is useful for overriding and transferring existing complex or legacy applications and services without rewriting existing code. In the meantime, Intel’s Trusted Domain Extensions (Intel TDX) will allow virtual machines to be set up isolated from the hardware (known as trusted domains), AMD’s Secure Encrypted Virtualization State (SEV-ES) will ensure that host virtual machines are encrypted and validated as soon as they are turned off, and many other hardware enhancements from Intel, AMD, Arm, NVIDIA, etc. will be implemented. that help mitigates new and potentially intrusive threats to the storage, computing, and certification will be available from leading cloud computing vendors within a year or two.

Clearly, sensitive computing is changing as these new hardware solutions are adopted and deployed by the major cloud providers and their more advanced customers.

While it is easy to get lost in the security hardware provided by silicon providers, long-term security managers need to plan to ensure that the physical infrastructure reliably locks down the processes, storage, and data they own or process protects against prying eyes – especially from cloud providers and software stack providers – and that all cloud services (from leading public cloud providers) are delivered in a secure environment. It is likely that within five years the term ‘privacy computing’ will become obsolete and will naturally become part of all cloud services.

At the same time, data protection functions and services will be a competitive advantage for large cloud providers.

As the underlying hardware evolves and public cloud providers strengthen their ability to ensure the safety, data integrity, and security of all services offered to customers, enterprise technology managers must evaluate each cloud service individually and assume a short cloud-lock-down period for individual applications developed by their own engineers.

Read Also: 14 Best Document Management Software of 2020

From anti-money laundering practices to consumer analysis in financial services, from data privacy to joint disease diagnosis and drug development in healthcare, joint intelligence analysis and anti-corruption in government agencies, and many more – a wide range of possibilities – new business data protection solutions using advanced cloud-based data protection solutions represent only a small part of the new solutions.

Some companies are content to wait until the security of the data they use is ubiquitous before they complete their digital transformation. As privacy computing opportunities increase and new secure cloud services develop seamlessly, technology companies have a clear opportunity to innovate and collaborate with cloud service providers to bring new categories of secure products to market – ahead of competition and regulators.

That’s what it looks like: Microsoft, Google has announced the expansion of the availability of secure virtual machines.

Viewing desk

Gunter Ollmann is currently the director of Microsoft’s Cloud Security and Artificial Intelligence business unit. He is an experienced information security leader who has identified and pursued new security markets through his work with world-class companies such as Microsoft and IBM X-Force, as well as startups such as IOActive and Damballa. As an experienced C-level executive and technologist, Mr. Allmann has been involved in dozens of M&A transactions (as a buyer, acquirer, advisor, or consultant) ranging in value from tens of millions of dollars to billions of dollars.