When looking at data protection practices, we first must look at the three basic states for data: At rest, in transit, and in use. Whenever data is stored, it is at rest. When data is processed by any means it is in use. And if data is travelling across networks that data is in transit. Data will reside in public clouds, Software as a Service solutions, 3rd party environments, as well as in private clouds. It will be stored in SQL Databases, NoSQL databases, and other forms of storage systems. In some cases, we see a clear need to secure data in use, and this blog post is looking into that.
The case for confidential computing
Good encryption practices developed over decades are normally used to secure data at rest and in transit. In many cloud services providers (CSP) platforms this is a built-in feature to use for cloud applications via so called service encryption. During the last couple of years, we have seen that the leading CSP´s have implemented capabilities to offer services for protecting data in use as well. This development of the data encryption services is due to the maturity and implementation of a set of encryption technologies under the term Confidential Computing (CC).
Did we catch your attention? During our LinkedIn Live event “Let’s talk tech: Cyber security – the foundation for modern banking” we can promise you new insights and aha moments on the subject.
CC is providing an encryption solution to secure the data in use by isolating sensitive data and code during data processing. CC is leveraging hardware-based Trusted Execution Environments (TEE) to protect the data that is being processed. Within the TEE are secure enclaves protected by encryption through a key that is unique to the CPU and the application within the secure enclave. Data stays encrypted in memory and is only decrypted when used within the CPU. This isolation makes up a safe place where no un-authorized entity can read, write, alter or remove neither data nor code.
Confidential Computing Actors
The Confidential Computing Consortium is working to accelerate the further development and there are three different segments that the consortia have defined:
- Hardware and architectures that helps create isolated, non-virtual environments for secure execution of code and data, including HW architectures for TEE, microprocessors/controllers, TEE-based Hardware Security Modules and TEE capable servers
- Software for the operation of hardware-based TEEs, including Hypervisors/OS´s, IaaS for TEE-based VM´s/Containers, HW&SW attestation services and PaaS
- Services for the implementation, integration and managed services to build or migrate applications to a HW-based TEE.
There are already many implementations of Confidential Computing and below is a list (November/December 2022) depicting some of the implementations:
- Amazon Web Services Nitro Enclaves for secure isolated compute environments
- Google Cloud Platform Confidential Computing with Confidential VM´s, confidential GKE nodes, confidential Dataproc and confidential Space
- IBM Confidential Computing with Cloud Data Shield to run containerized applications, Cloud Hyper Protect Crypto services and Cloud Hyper Protect Virtual servers
- Microsoft Azure Confidential Computing with confidential VM´s, confidential Containers, always encrypted SQL, confidential ledger and Azure attestation.
Other solutions aiming to protect data in use
There are two other technologies that are aiming to solve security with data in use: FHE and MPC. These are not in focus in this blog, but they are shortly summarized:
- Fully Homomorphic Encryption (FHE): This encryption method(s) allows running, processing, and analysing data without the need to have it deciphered. Data can stay encrypted while it´s in use. The advantages of FHE are the protection of highly sensitive data that can be computed in high-powered cloud platforms, for example. Studies have also stated that FHE is resilient to quantum attacks. The backside of FHE is that it is extremely slow.
- Multi-Party Computation (MPC): This is a privacy-preserving computational model where different parties in a business relationship can share data, do computations, and get a mutual result without disclosing each party’s private data. Today’s solutions mostly rely on distributed ledgers and usually in a blockchain. In this setup each party trust the data in the ledger.
The further development of these privacy-enhancing security technologies is promising. Protecting data in use can provide a foundation for new forms of interactions and collaborations, while preserving the integrity of the most sensitive parts in that collaboration. We need to be a part in this development and adopt use cases that serves either the needs of many or as an added layer for data security when necessary. Confidential computing now offers practical applications for those needs.
Listen in to Predrag and the other amazing speakers at “Let’s talk tech: Cyber security – the foundation for modern banking”- March 30 11:30 CEST!