Awesome AI start-up offers a proprietary algorithm for voice recognition. Health-hero hospital collected a large set of patient interviews audio recordings; it needs to transcribe and index them to define a new treatment protocol for an elusive rare condition. They need to work together, but how? Offer voice recognition as a cloud service and just stream audio recordings with intimate personal information? Or perhaps run the algorithms on the hospital’s infrastructure to process data? Neither approach solves this without giving away either sensitive personally identifiable information or valuable proprietary algorithms. Confidential Computing can help, and there are several hardware platforms to choose from. In this article we are comparing the different confidential computingConfidential Computing is a new hardware-platform security mechanism to protect data in-use. It allows processing sensit... More platforms.
Solving multi-party collaboration with confidential computing
Multi-party collaboration and data sharing is on everyone’s radar lately. CanaryBit’s Confidential Cloud offers solutions for secure data sharing and data collaboration. And it’s about much more than just data! Datasets, code, models, or algorithms are all valuable data assets. Confidential Cloud processes digital assets in an encrypted environment implemented with confidential computing on commodity server platforms. Several leading platform vendors released or announced their confidential computing implementations. Since they are all different, it’s important to compare the confidential computing platforms. CanaryBit compared together with colleagues from KTH Royal Institute of Technology and RISE vendor implementations of confidential computing and reported the results in a research article.
Join the (virtual) 2022 IEEE International Symposium on Secure and Private Execution Environment Design on September 27 for a presentation of the findings reported in “SoK: Confidential Quartet: Comparison of Platforms for Virtualization-Based Confidential Computing”.
Comparing confidential computing platforms
We reviewed confidential computing implementations from four leading vendors of enterprise server platforms (in alphabetical order): AMD SEV-SNP, ARM CCA, IBM PEF and Intel TDX (we didn’t consider SGX). Following a brief description of how each of these technologies works, we compared them along eight diverse dimensions. There was a lot of ground to cover: deploying secrets; use of encryption; protection from other, neighbour virtual machines; protection from hypervisor attacks; communication; software support and attestationAn Attestation is a validation process performed against μ-processors with Confidential Computing capability. It valida... More, and more.
Perhaps unsurprisingly, it turns out that many implementation aspects are similar across the four vendors. In many cases, solutions are similar since they consider the same adversary model or build on best-practices learned from past mistakes. Backward compatibility or relative ease of upstreaming software support push towards convergence too. On the other hand, there are some diverging designs when it comes to remote attestation or support for virtual machine migration. CanaryBit contributes to IETF standardisation work on confidential computing, and we hope that upcoming standards will encourage interoperability between implementations.
Software Support Needed
Our analysis shows that the confidential computing ecosystem needs more tools and software support to drive a broader and more comprehensive adoption. This will help provide a richer functionality to the growing base of early adopters. This will also help get a more nuanced understanding of the trade-offs and differences between performance, setup complexity and security guarantees of confidential computing. CanaryBit’s Confidential cloud includes standalone services for confidential computing resource orchestration and for verification and validation of security attestation results.
We also launched a call for action to improve software support for Confidential Computing at the recent OpenInfra Forum held in Berlin in June this year.
Conclusion
We reviewed confidential computing implementations from four leading enterprise platform vendors and published a paper at SEED’22. In many cases they have similar approaches that build on security best practices or lessons learned from earlier vulnerabilities. Not all confidential computing implementations are created equal, since they assume slightly different adversaries and offer different security features. Such slight differences build up, making the choice of confidential computing platforms a tricky exercise. CanaryBit can guide you in choosing the right platform to process your data using Confidential Cloud.
