With the increasing popularity of the multi-cloud, hybrid cloud, and edge computing, workloads and datasets are more distributed than ever. This helps organizations gain tremendous insights but makes cybersecurity increasingly challenging to achieve.
The need for stronger data security standards has made technology industry leaders join forces to come up with a solution to this challenge. In 2019, the Linux Foundation formed a community dedicated to accelerating cloud computing adoption, naming it the Confidential Computing Consortium (CCC). Its members are working to usher in a new era of cybersecurity, enabling safe and standardized processing of sensitive information across different cloud environments. Intel is one of the founding members of CCC, and this year marks the launch of their innovative solution set to enable widespread adoption of confidential computing.
Back in 2020, Gartner included confidential computing among 33 technologies on its Hype Cycle for Cloud Security. To understand this rising need for confidential computing better, we need to grasp how and where sensitive data gets exposed to threats.
There are three stages of the data lifecycle: at rest, in transit, and in use. Throughout these stages, data is vulnerable to malicious action. Traditional protection of stored data and data on the move involves encryption and tokenization. These processes keep data safe even if hijacked since stolen assets are useless without the encryption key unlocking their contents. Through filesystem encryption, encrypted storage drives, high-level crypto algorithms, TLS protocols, and other protection methods, data at rest and data in transit stay safe against threats.
However, protecting data in use is much more challenging. Data needs to be unencrypted to be used. This exposes it to malicious activity aiming to tamper with it or hijack it.
Protecting sensitive data in use requires the following:
Encrypting everything
Isolating sensitive workloads and data
Staying compliant
Building trust
Enabling safe collaboration
This is where confidential computing comes in. It is a hardware-based technology that allows for physical partitioning of memory at the CPU level, protecting data while being actively processed. Intel® has recently launched its 3rd Generation of Xeon® Scalable processors, with hardware supporting the newest version of Intel® Software Guard Extensions (Intel® SGX) for servers and data centers. Intel® SGX helps businesses achieve confidential computing by keeping critical data isolated and protected against threats, visible only to authorized parties.
Intel® SGX tackles the challenges of protecting data in use by isolating data inside private enclaves in the CPU memory. These enclaves form Trusted Execution Environment (TEE) rooted in hardware, enabling data protection where it is most difficult to be breached - low in the stack. Hardware-based memory encryption allows for processing sensitive data inside this trusted environment even while running on an untrusted system, bypassing potentially compromised OS, VMs, or applications.
Reducing the attack surface to a minimum, Intel® SGX overcomes the following challenges to ensure confidential computing of data in use:
Intel® SGX enclaves contain sensitive data and special instructions for processing it, along with encryption keys without which the data cannot be decrypted. These keys are only accessible to the trusted application, and other parties in the system cannot see them. Similarly, only authorized entities can modify the code and view sensitive data while inside the enclave. Not even the cloud provider or operating system can access it.
Through attestation, the entire platform and the enclave are measured and validated before any data is shared. An Intel® SGX enclave can request a local report from itself or another enclave that is a part of the same platform. This report is used for data checking and verification, ensuring that the right application is being executed on the right platform. Once the trust between enclaves has been established, they can share session keys through a protected session. These reports can also be sent to a remote party for confirmation. Upon establishing trust through attestation, the data is shared through a secure channel invisible to external parties.
Intel® SGX has a procedure for protecting the data inside the TEE in case of hardware-related issues such as side-channel attacks or insider threats. The microcode of a platform gets validated to check if it is out of date. In case of any suspicious mismatch, the platform is not trusted until it gets updated correctly. This is also applicable in version updates of the platform components. Enclave clients can check if the update was done correctly or not and refuse sensitive data upload until the potentially vulnerable platform gets adequately updated.
Verifying valid code and data signatures helps parties achieve transparency and accountability without exposing confidential data. These principles prevent software attacks even if the firmware and/or BIOS have been compromised. Also, they keep the data inside the TEE safe in case of RAM-directed attacks such as memory bus snooping, memory tampering, and “cold boot” insider attacks.
Confidential computing protects verticals where data is strictly regulated and where breaches can lead to irreparable damage through loss of finances, reputation, or client trust. Additionally, confidential computing promotes collaboration without risking compromising regulations or revealing sensitive information.
The finance industry can leverage Intel® SGX technology to ensure regulatory compliance and audit, preventing money laundering. For example, a bank may share a potentially fraudulent account with another bank in or outside its network to audit it and minimize the chances of false positives. The suspicious data can be stored in an enclave, and data records shared between different sources, obtaining results without revealing any sensitive information.
Similarly, insurance companies may collaborate for fraud protection. A suspicious claim can be shared between insurance providers for pattern recognition without any sensitive data being revealed in the process.
Confidential computing also ensures intellectual property protection. It allows two research institutes to work together and come to scientific breakthroughs or new treatment models, sharing insights and results while keeping the underlying code or patient information secret.
The same federated learning capability can be applied to governmental or any other organization, whether they are a competition to one another or not. Confidential computing grants them an opportunity to do more together without revealing anything they do not want to. Datasets aggregated through such collaboration can be used for AI training, generating results that were previously impossible to get.
As industries develop more applications using Intel® SGX technology, the possible utilization of confidential computing expands. phoenixNAP has made it available through specialized, Intel® SGX-enabled instances within its Bare Metal Cloud platform. This hardware-enhanced security helps organizations ensure maximum data protection and compliance readiness. It enables confidential computing, stimulating business growth through various use cases, including the above-mentioned ones.
We are entering a new era of cybersecurity. An increasing number of organizations are embracing confidential computing as a part of their security strategy. As a result, Intel® SGX is present in numerous cloud service deployments across the globe.
With a large number of installations worldwide, the technology is proved to be robust and capable of meeting customer expectations, thus proving that confidential computing is available today. By expanding its use cases and extending its functionality throughout the multi-cloud, the further development of this exciting new technology is as certain as the data growth that drives it.