As our lives move into the cloud, protecting our information becomes vital. This is especially evident in projects where people collaborate to use vasts amount of confidential data for business.
Data, however, needs to be undoubtedly protected and each handler along the value chain needs to be trustworthy with that data. Since people can step out of line and commit wrongs, illegal, unethical, or just for their own gain and against the rules, systems need to be in place to spot these wrongdoings.
We are fast reaching a stage where the value of a business lies in its data processing capability and therefore it is a priority to secure this data, especially when in use and not just in storage.
A break-through approach
So much of our data is being collected by all kinds of authorities and it is frightening that we don’t know what these groups want to do with our information. It’s so difficult to hide nowadays.
In the past, those who committed crimes or did strange things used to disappear for months or years. But in today’s age, nobody can hide because you can now leave a data trail.
As the world changes at a rapid pace, aided by technology, data needs to be protected and people and institutions need to be able to sleep at night knowing that their information is safe.
Enter a new security industry initiative called Confidential Computing. Brainy people from the information technology world are doing their utmost to establish how they can secure data in use.
How it works
Applications process data by interfacing with a computer’s memory. Before any application can process data, it has to go through decryption in the memory. Data is, for a moment, unencrypted, and left exposed. It can be accessed, encryption-free, right before, during, and right after it has been processed. This leaves it exposed to threats like memory dump attacks. These involve capturing and using random access memory (RAM) put on a storage drive in the event of an unrecoverable error.
The attacker triggers this error as part of the attack, which forces the data to be exposed. Data is also exposed to root user compromises, which occur when the wrong person gains access to admin privileges and can therefore access data before, during, and after it has been processed.
Confidential (container) computing solves this issue by using a hardware-based architecture known as a trusted execution environment (TEE). This is a secure coprocessor inside a CPU (central processing unit). Embedded encryption keys are used to secure the TEE.
To ensure the TEEs are only accessible to the application code authorized for it, the coprocessor uses attestation mechanisms that are embedded within. If the system comes under attack by malware or unauthorized code as it tries to access the encryption keys, the TEE will deny access and cancel the computation.
This allows sensitive data to stay protected while in memory. When the application tells the TEE to decrypt it, the data is also released for processing. While the data is decrypted and processed by the computer, it is invisible to everything and everyone else. The cloud provider, other computer resources, hypervisors, virtual machines, isolated containers, and operating systems cannot see the data.
Why it matters
Essentially, confidential computing allows you to isolate your sensitive data while it is being processed. It is isolated within a protected CPU which most users cannot access.
In fact, this data is only accessible to specially authorized—for the purpose of providing privileged access—programming code. The CPU’s resources are invisible and cannot be discovered by any person, program, or cloud provider.
The data encryption concept is key to cloud computing. Cloud providers have for years encrypted data at rest, sitting in a database or a storage device. They have also encrypted data in transit, moving through each network. These have long been central aspects of cloud security. However, with confidential computing, in addition to data that is at rest and in transit, data in use is also protected with encryption. Confidential computing protects data and your applications as you use them. In a nutshell:
Confidential computing secures your intellectual property.
It enables secure encryption across the lifecycle of each byte of data.
It prevents insider attacks as well as unauthorized access to your data.
It helps you control your data and seamlessly migrate or move workloads to the cloud.
Its usage is growing
Confidential computing is becoming vital to the health of data. It is a response to the need for trustless security in a cloud computing environment. It is the solution for users who need to believe that their software, computational workloads, and data are not left open to cloud service providers, organizations or any individuals they do not want to have contact with.
It is used in various industries. Doctors, for example, can protect patient information; bankers can secure financial data and computer scientists can run machine learning processes on sensitive information. The public sector comes to mind when dealing with large amounts of data. Public databases of citizens are a great source for a hack/data breach.
It also offers a no-brainer use-case for the eCommerce industry (Amazon, WordPress etc.) and performs the functions:
- A significantly reduced Attack Surface
Confidential Containers provide hardware-based memory protection that enhances data security. At any moment in time, the microservices running in the containers, processing the data, and forwarding the data to other microservices are protected.
- A reduced ‘Bounce Rate‘
Confidential Containers enable GDPR/CCPA-compliant Web analytics that enhances data privacy. At any moment in time during the analysis, data will remain anonymous. Neither the merchant nor the data that is ‘enclaved’ or the infrastructural platform can de-anonymize the data. Analytics compliant with data privacy regulations by design are not obligated to explicitly ask for consent, allowing for the removal of the cookie banner.
- Less Marketing/Advertisement Costs
With more accurate Web analytics that enhance the derived insights, you can get a better ROI on your marketing efforts. Data in use must not be synthesized, as required by data anonymization techniques that inject noise into the data.
The future is about working together
Large organizations also understand confidential computing’s importance. Some of the largest CPU manufacturers got together in 2019 and formed the Confidential Computing Consortium (CCC). This included VMware, Baidu, Tencent, Swisscom, AMD, Intel, Microsoft, Google, IBM, Red Hat, and Oracle.
The CCC aims to set standards for the industry that will promote the open-source development of confidential computing resources.
It is great to know that there are efforts to help battle the scourge of data theft, ransomware, and overall privacy (while staying GDPR compliant). This type of protective computing is a more genuine effort rather than just offering products that add many (often expensive layers of protection) which still have some vulnerable leakages.
The next progressive step is then to enable you to launch your apps and entire infrastructure on a public setting – this is where the confidential cloud (a first of its kind) comes into play – more about this next step here
To learn more about how your business can start and set up a secure cloud/container computing environment get in touch!
More advanced CISOs can request a demo here