New hardware security features and ongoing industry standardization created a novel cloud security paradigm called Confidential Computing is a new hardware security mechanism to protect data in-use. It allows processing sensitive workl... More. It allows creating isolated, verifiable, secure, user-controlled trusted execution environments. This approach drastically reduces the trust that customers needs to place in cloud providers. Best of all, it opens new capabilities for business exchanges. To speed up the adoption of better security in cloud computing, several industry actors have started the Confidential Computing Consortium under the Linux Foundation.
How does a Trusted Execution Environment work?
A Trusted Execution Environment (TEE) allows guaranteeing protection, confidentiality and integrity of data. At any time, users can obtain a verifiable statement (called An Attestation is a validation process performed against μ-processors with Confidential Computing capability. It valida... More) about the security properties of the TEE. Service providers can in turn use attestations to prove to users and third parties the security of the service running in the TEE.
Users and service providers can create TEEs using hardware security features widely available across server platforms, desktops and mobile devices (such as Intel SGX, AMD SEV, IBM PEF, ARM TrustZone).
At CanaryBit, we see plenty of cases where confidential computing can make a difference. Confidential computing is not only about “more security”. Confidential computing allows to reduce costs, simplify audit and compliance reporting, and offer an alternative in the trade-off between privacy and convenience.
Benefits of Confidential Computing
Consider some benefits, such as:
- Lower cost to enforce, demonstrate and audit data security compliance.
CISOs can automate security compliance to a very large degree using tools leveraging confidential computing.
It allows reducing the time (and cost) to verify the security of the computing infrastructure.
- Secure enclaves allow businesses to combine and process data from several sources, potentially even without getting access to the raw data.
This is much more efficient compared to other, cryptographic solutions (such as multiparty computation).
- Lower cost to process data in a secure computing environment.
Instead of dedicating costly efforts to set up and operate a secure data processing environment, organizations can process security-sensitive data in enclaves on public clouds.
End-users can set up TEEs and run cloud services inside such protected environments. They can keep full control over data, both at rest and while being processed.
Some examples of services include cryptocurrency wallets, password managers, personal digital health record archives and finance management tools.