Confidential Computing

In a computing environment, data exists in three states: in transit, at rest, and when used. "On the go" means that the data moves across the network, "at rest" - that they are in storage, and "in use" they are when they are processed. As enterprises successfully counter cyber attacks on networks and storage devices where data is at rest or on the go, attackers have shifted their attention to the data used. Common attack vectors include memory scanning, third-party CPU (side-channel attack) attacks, and malware deployment ^[1].

Confidential computing is the protection of data in process with trusted hardware environments. TEE is an environment that guarantees a certain level of security, data privacy, and code integrity. Security strategies should include all levels of potential intrusion. If one level is compromised (e.g., data being processed), then other levels (resting data, moving data) may be affected. Confidential computing closes the last "hole" for intruders to penetrate and can significantly strengthen an organization's overall security strategy.

Confidential Computing on the rise

Organizations have been striving for decades to protect data with multiple security strategies, and confidential computing is the first solution of its kind to strengthen an organization's data protection strategy by strengthening one of its focus areas. Advances in processor and memory chip design pave the way for more features to be embedded in standard chipsets and thus contribute to the quantitative and qualitative growth of confidential computing solutions.

Typically, entering the market of each new technology initially causes difficulties, but then the explanatory work carried out by the technical community and industry experts contributes to its popularization. At this stage, confidential computing is still at an early stage of implementation, so there is no conventional implementation scheme for it. Many suppliers position them in different ways, which can mislead information security specialists.

As for the speed of technology adaptation, an analogy from the field of key management can be cited as a good example. If there were no Key management interoperability protocol (KMIP), then to deploy any encryption solution, an enterprise would need a separate protocol to communicate with some form of key manager. At first, KMIP seemed like an unnecessarily complex technology, but the problems were eventually fixed. As a result, the key management solutions available on the market that use KMIP are inexpensive, do not cause difficulties in deployment and further operation. It is expected that the introduction of confidential computing will follow the same path that KMIP and many other technologies have gone before it.

As the confidential computing market evolves in the next few years, significant changes are expected. Initially, each implementation option will probably require its own chip-level hardware as well as software to manage it. There is every reason to believe that growing consumer demand will force chip manufacturers to standardize them so that end users have a single method of protecting the data being processed. It will also push the software industry to innovate as soon as possible to improve the manageability and compatibility of sensitive computing with other security management systems.

What you need to know when implementing Confidential Computing

Since sensitive computing has yet to conquer the market, information security professionals should learn how to deploy TEE to critical enterprise applications, realizing that they will vary depending on the hardware required to implement a solution. For example, if the TEE is run in a data center, the environment management tools must be provided by an equipment provider that is a partner of the enterprise. For this type of TEE, hardware-assisted methods are used - secure enclaves that provide increased security guarantees for code execution and data protection. Examples of hardware enclaves are Trusted Platform Modules (TPM), Intel Secure Guard Extensions (SGX), ARM Trustzone, and AMD Secure Encrypted Virtualization (SEV). However, companies that use cloud services usually use TEEs provided by the provider as a service. These include Azure Confidential Computing based on Intel SGX and Google Cloud Confidential Computing.

Although hardware security modules (HSMs) can take advantage of confidential computing, they are still a separate part of complex and expensive hardware that needs to be managed. At the same time, software key managers can run on any hardware offered within the existing TEE, which allows you to take advantage of confidential computing, which in terms of security quality is comparable to hardware solutions, but is cheaper.

2022:4 challenges slowing progress in confidential computing

In 2022, there are four main challenges slowing progress on privacy computing:

1. Many of these methods require new software tools and changes to use the data. Being able to make full use of these tools and support change can take considerable time and effort from already occupied teams.

2. Privacy practices can in some cases reduce speed and performance, which can cause problems when analyzing and distributing data in motion and in real time.

3. There is no easy way to maintain control over the management and use of data when it is in the wrong hands, raising potential privacy or regulatory risks.

4. Finally, there are certain regulatory barriers to privacy and data ownership that need to be addressed before computing resources that remain confidential can reach their full potential. Nevertheless, work is underway on all these fronts, and it is quite reasonable to assume that by 2024, data technologies with confidentiality will offer a wide range of uses and opportunities.

Notes