What is Confidential Computing and Why Should I Care?

Individuals and enterprises all around the globe are widely using cloud computing. It allows seamless data access across multiple devices, collaborative work and centralised data storage. However, using the cloud means a compromise in terms of data privacy, control over data placement and data portability across cloud providers. While some challenges have promising solutions, they remain unfulfilled. Despite strict administrative controls by cloud providers, there are still ways to access the processed data. Cloud provider end-user agreements explicitly inform that data can be processed in third-party countries. Finally, the frustrating grip of cloud provider lock-in is evident to anyone who tried to export and migrate all their data from a cloud service.

New hardware security features and ongoing industry standardization created a novel cloud security paradigm called confidential computingConfidential Computing is a new hardware security mechanism to protect data in-use. It allows processing sensitive workl... More. It allows creating isolated, verifiable, secure, user-controlled trusted execution environments. This approach drastically reduces the trust that customers needs to place in cloud providers. Best of all, it opens new capabilities for business exchanges. To speed up the adoption of better security in cloud computing, several industry actors have started the Confidential Computing Consortium under the Linux Foundation.

How does a Trusted Execution Environment work?

A Trusted Execution Environment (TEE) allows guaranteeing protection, confidentiality and integrity of data. At any time, users can obtain a verifiable statement (called attestationAn Attestation is a validation process performed against μ-processors with Confidential Computing capability. It valida... More) about the security properties of the TEE. Service providers can in turn use attestations to prove to users and third parties the security of the service running in the TEE.

Users and service providers can create TEEs using hardware security features widely available across server platforms, desktops and mobile devices (such as Intel SGX, AMD SEV, IBM PEF, ARM TrustZone).

Use-cases

At CanaryBit, we see plenty of cases where confidential computing can make a difference. Confidential computing is not only about “more security”. Confidential computing allows to reduce costs, simplify audit and compliance reporting, and offer an alternative in the trade-off between privacy and convenience.

Benefits of Confidential Computing

Consider some benefits, such as:

1. Lower cost to enforce, demonstrate and audit data security compliance.
   CISOs can automate security compliance to a very large degree using tools leveraging confidential computing.
   It allows reducing the time (and cost) to verify the security of the computing infrastructure.
2. Secure enclaves allow businesses to combine and process data from several sources, potentially even without getting access to the raw data.
   This is much more efficient compared to other, cryptographic solutions (such as multiparty computation).
3. Lower cost to process data in a secure computing environment.
   Instead of dedicating costly efforts to set up and operate a secure data processing environment, organizations can process security-sensitive data in enclaves on public clouds.

End-users can set up TEEs and run cloud services inside such protected environments. They can keep full control over data, both at rest and while being processed.
Some examples of services include cryptocurrency wallets, password managers, personal digital health record archives and finance management tools.