Confidential Computing – What is it and why do we need it?

As the digital revolution moves steadily to occupy all our life aspects, organizations of all sizes and across all industries utilize digital solutions to facilitate their works and increase business efficiencies. The most apparent digital transformation aspect for businesses appears in the increasing usage of cloud computing technology. 

According to marketsandmarkets, the global cloud computing market size is expected to grow from USD 371.4 billion in 2020 to USD 832.1 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 17.5% during the forecast period. The leading cloud computing models (IaaS, PaaS, SaaS) offers numerous benefits to organizations such as: 

• Enhance accessibility: By storing business data and applications in the cloud, accessing these resources become feasible from anywhere on earth with an internet connection.
• Reduce costs: Cloud computing offers businesses a scalable environment, thus, eliminate the need to purchase costly IT infrastructure and the cost to maintain them over time.
• Enhanced security: The cloud computing market is very competitive. Major cloud providers compete to deploy the best security solutions to protect customer data and attract other customers to subscribe to their services. 
• Disaster recovery: The cloud computing model offers a fast and reliable solution to restore data and applications after a disaster.

Cloud computing mode advantages are apparent; however, the main obstacle toward adopting it on a large scale is still security. There is a continual debate in the IT community about the privacy of data in the cloud. For instance, cloud providers adopt encryption to protect data at rest (while in storage in cloud hard drives and databases) and in transit when moving data from cloud servers to client endpoint devices (via network connections). However, there is one part still missing to achieve complete data security. This part is concerned with protecting data in use– while in memory and under processing.

What is Confidential Computing?

Confidential Computing is a cloud computing technology that works to protect cloud data while processing it. It works by isolating sensitive data in a protected CPU region that no other programming code can access. The content of the protected CPU region, which includes processed data and the code used to process it, is only accessible to authorized code. Hence, no other program or anyone else including the cloud service provider- can access the protected area contents. 

As more organizations are opting to store their data in the cloud, the need to protect cloud data become vital. CC offers cloud clients a means to assure their data's highest security and confidentiality and encourages them to trust cloud public services by moving more data to the cloud. 

How Confidential Computing works? 

Sensitive cloud data is stored encrypted; to use this data, it must get decrypted first in memory. This makes data vulnerable to different exploits such as compromised root user, memory dump, and Direct Memory Access (DMA). 

Confidential Computing prevents this type of attack by utilizing a hardware-based trusted execution environment, a secure zone within A CPU.  The TEE environment is secured using embedded encryption keys and contains a special mechanism to ensure that the decryption keys are only available to trusted –authorized- applications code only. If a malicious code tries to access the decryption keys or the trusted application code is hacked in some way, the TEE will halt data processing immediately (see Figure 1).

Using the TEE model, the processed sensitive data will remain encrypted in memory until the trusted application informs the TEE to decrypt it for processing. While the data is under processing, it remains unavailable to the underlying operating system (whether physical or virtual machine) or the cloud provider, or its employees.

Figure 1 - Confidential Computing model

The Confidential Computing Consortium

If you wonder how the idea of confidential Computing arises, here is a brief about its start. In 2019, a group of IT enterprise composed of Alibaba, AMD, Baidu, Fortanix, Google, IBM/Red Hat, Intel, Microsoft, Oracle, Swisscom, Tencent, and VMware announced the creation of the Confidential Computing Consortium (CCC), under the sponsor of The Linux Foundation. The CCC aims to promote developing open-source CC tools and define general standards for confidential Computing, which allow users to move between different IT environments with ease.       

Why we need confidential Computing? 

Confidential Computing offers numerous benefits to organizations; the following list the main ones:

1. Protect sensitive data during processing, which encourages organizations to leverage cloud computing to process and store their confidential workload. Using confidential Computing and data encryption at rest and transmit will remove the greatest barrier against using cloud computing to handle sensitive and regulated data.
2. Protect organization's intellectual property: Confidential Computing is not only used to protect sensitive data. For example, many organizations use proprietary applications, machine learning algorithms, analytics codes, and alike to process data and conduct other tasks. Confidential computing help executing applications code secretly in an isolated environment that no one can infiltrate.
3. Simplify using a cloud service provider: By using confidential Computing, an organization can select the best cloud provider that meets its technical and business objectives without worrying about the security of stored data such as sensitive customer data (Personally Identifiable Information (PII), financial data and Protected Health Information (PHI)), proprietary information and other sensitive resources.     
4. Enable complete end-to-end encryption of cloud data.  
5. It allows data to be transferred between different environments, or cloud providers, without risking exposing it to unauthorized parties. 
6. Open new opportunities for collaborations between different organizations without exposing their confidential data to each other. For instance, multiple organizations can work on analyzing different data sets without accessing each other data.

Summary

Utilizing confidential Computing allows organizations to run sensitive workloads in the cloud, avoid the risk of malicious access and allow building cross-cloud data applications from multiple parties in addition to enhancing cloud data privacy. 

Confidential Computing requires close collaborations between hardware (CPU vendors) and software companies so that confidential computing programs and data can work with TEEs from different vendors. The Confidential Computing Consortium is now supporting many open source projects such as Intel SGX SDK for Linux, Microsoft's Open Enclave SDK, and Red Hat's Enarx. Although, a tool does not need to be sponsored by the CCC to be considered confidential computing.