Google eyes confidential computing to buff cloud security cred

Google has advanced its march into confidential computing with a new contest that offers significant cash prizes to developers.

Confidential computing refers to the isolation of application workloads in trusted execution environments (TEEs), which encrypt the data while it's in use. That's a step above today's common practice, where data is encrypted at rest, safely nestled in persistent storage or encrypted while in transit over a network.

TEEs are meant to thwart insider attacks, shield data from a compromised hypervisor or host OS and mitigate the threats posed by network vulnerabilities. They also seek to avert attacks that emanate from malicious firmware.

"Historically, for developers, the problem has been that writing code that can take advantage of a secure enclave has been a challenge," said Garrett Bekker, principal security analyst at 451 Research.

Garrett Bekker

Google added encryption in use in May 2018 with its Asylo project, an open source framework used to create container-based enclaves -- a type of TEE -- that are compatible with Intel SGX-based hardware. Over time, the goal is to make Asylo hardware-agnostic.

But confidential computing is a nascent area of research, so Google has now upped the ante with the Confidential Computing Challenge, a contest that does not seek examples of implemented code, but rather ideas that outline how to advance the confidential computing concept.

From now until April 1, Google Cloud Platform (GCP) wants submissions that describe either a fresh use for confidential computing or ways to improve upon current methods. The winner gets $15,000, plus $5,000 in GCP credits and an unspecified "special hardware gift." Google also offers lab training at no charge to help developers understand the Asylo toolchain.

Doug Cahill

For now, GCP's contest mostly appears to be a way to prime the proverbial pump around Asylo with a community to share knowledge and compare notes on best practices, said Doug Cahill, senior analyst and group director at Enterprise Strategy Group in Milford, Mass.

Writing code that can take advantage of a secure enclave has been a challenge.

"There'll be the winner at the end, but more important is the knowledge sharing between the participants," he said.

GCP's efforts around Asylo may be less about one vendor's desire to be a player in cybersecurity and more about doing what it says it believes is necessary to gain share in the increasingly heated public cloud platform market.

Also, like any emerging technology, swarms of vendors want in on the action around TEEs and enclaves, which means lots of market confusion before there is consensus. For example, GCP has focused Asylo on Intel SGX hardware to start, but AMD has its own implementation of enclaves called ARM TrustZone, 451's Bekker said.

Applications may not be portable across those different enclaves, but Asylo has the eventual goal to give developers an abstraction layer over those complexities, he said.

It's early days for TEEs and enclaves, but adoption of containers and serverless computing in the cloud helps foster these security concepts, which reflecting the cybersecurity principle of least privilege. Still, it's important to remember a truism in cybersecurity: Every innovation in the name of end-user safety swiftly becomes a target for bad actors.

"Security is always about defense in depth," Cahill said. "We shouldn't think of this as a silver bullet. We should always be mindful that the adversary innovates and looks for weaknesses and vulnerabilities."