Confidential computing is a concept in which encrypted data can be processed in memory to limit access to ensure data in use is protected. Confidential computing is a concept promoted by the Confidential Computing Consortium, which is a group of organizations that wants to build tools supporting the protection of data. This concept is especially suitable for public clouds.
Confidential computing also focuses around software and hardware-based security. Confidential computing ensures data is secured and encrypted against risks such as malicious insiders, network vulnerabilities or any threat to hardware- or software-based technology that could be compromised.
The idea of confidential computing has gained in importance as cloud services become more widely used. Organizations that use cloud computing environments benefit from the increased sense of security that confidential computing offers.
The Confidential Computing Consortium, a group of organizations whose goal is to build cross-platform tools for confidential computing, has largely supported and defined confidential computing. The consortium also wants to make it easier to run computations in what's known as enclaves -- a trusted execution environment (TEE) -- protected from hardware, OSs and other applications.
The consortium is made up of hardware vendors, cloud providers and developers, such as Google, Microsoft, IBM, Intel, Alibaba, Arm, Red Hat. The group has the goal of developing and supporting open source tools and frameworks for cloud computing environments. The consortium also aims to support community-based projects that can protect applications, programs and virtual machines (VMs). The consortium should also be able to aid other organizations in applying any confidential security changes.
In addition, the Confidential Computing Consortium developed the Confidential Consortium Framework, which is a general framework used to build both secure and highly available applications.
How confidential computing works
Normally, service providers encrypt data when it's stored or transferred, but the data is no longer encrypted when in use. The Confidential Computing Consortium focuses on securing data while it's in use -- specifically when data is processed in memory. The goal is to allow data to be processed in memory while that data is still encrypted. This reduces the exposure of any sensitive data. The only time data is unencrypted is when a code on a system allows a user to access it. This also means that the data is hidden from the cloud provider as well.
Confidential computing is also able to work by using an execution environment that can be trusted --commonly referred to as TEEs, or enclaves.
Confidential computing can have many uses pertaining to protecting data in trusted environments. For example, confidential computing can be used to:
- Protect data from malicious attackers
- Make sure data complies with legislation such as GDPR
- Ensure the safety of data such as financial data, encryption keys or any other data that needs to be secure
- Make sure data in use is protected when migrating workloads to different environments
- Allow developers to create applications that can be moved across different cloud platforms
Components of confidential computing
Confidential computing can include many different tools and services.
The organizations in the Confidential Computing Consortium have already developed many tools that support trusted execution environments and confidential computing. For example, Microsoft developed the Open Enclave SDK, a framework that's used to build app enclaves. Enclaves built in Azure are supported by Windows Server Hyper-V Virtualization Based Security (VBS). SQL Server 2019 also supports confidential computing, with an Always Encrypted feature that has secure enclaves.
Examples of vendors that participate in the Confidential Computing Consortium include Google, Microsoft, IBM, Intel, Alibaba, Arm, Red Hat, Baidu, Tencent and Swisscom. Some examples of tools these vendors offer include Microsoft's Open Enclave and Azure, as well as Google's Asylo.
Microsoft has a new security model for Azure called confidential computing, which encrypts data in transit, at rest and while in use.
Google Asylo is another application for confidential computing. Asylo consists of an open source framework and software development kit that uses secure enclaves to process data. Asylo is provided through Google's container repository or as a Docker image that can be used on platforms that support TEEs--this makes Asylo much more flexible in terms of hardware configurations.
Google also offers its own version of an enclave network, called Asylo, which can be used to guard against data breaches.
ARM is developing a tool called Arm TrustZone, which will also support confidential computing.