Skip to main content

SECURITY

The Latest in Data Protection? Confidential Computing

Published Date
Author Poornima Apte

trusted execution environments

Sleight of hand works for magic tricks, but not for data protection. Yet such smokescreens are precisely what many enterprises unwittingly deploy in the name of information security. Companies might assume they keep data safe, but most protection mechanisms focus on data in transit or at rest—not while actually being used and processed, says Richard Searle, Vice President of Confidential Computing at Fortanix, a data security company.

For tightest security, enterprises need hardware-enforced trusted execution environments where data can be safe even while being processed, a practice known as confidential computing (CC), Searle adds.

Advantages of Confidential Computing Data Security

For years, companies in sectors like healthcare and finance have checked off security protocols by anonymizing data and thereby protecting patient or user identities. But, says Searle, anonymization of data with full integrity is very difficult to achieve. “Even if their personal information is masked using tokenization, it’s still possible to potentially resolve from datasets where they are sourced from and therefore the underlying identity,” he says.

Tokenization constrains data’s full use so not all functions can be executed smoothly. Even if data is encrypted while at rest or in transit, it is decrypted and not protected while being processed, making it vulnerable during this stage.

On the other hand, confidential computing works by unleashing the full potential of data while protecting it during all its states: rest, transit, and use. Another significant advantage of confidential computing is that it’s easier to follow the trail of breadcrumbs and provide necessary compliance documentation for auditors.

Confidential computing also strengthens implementation of Zero Trust architecture, a popular data security solution. Zero Trust demands segmentation of operations and verification of each step in an information processing chain.

“Confidential computing can help with that because it does two things: verifies the trusted execution environment where the data’s being deployed and validates the integrity of the software that’s being deployed there,” Searle says. “Along with other Zero Trust tools such as identity and access management tools for machines and users, confidential computing is an important technology because of the data protection services it affords within the network.”

“When you apply confidential computing, the data is only unencrypted within the confines of the TEE. It enables you to secure sensitive #data and applications when they’re being processed by the #CPU” – Richard Searle @fortanix via @insightdottech

Data Security with a Trusted Execution Environment

Confidential computing protects data in a trusted execution environment (TEE), a protected region of memory within the processor. These secure enclaves are encrypted with a hardware-managed key that the OS and hypervisor do not have access to. “When you apply confidential computing, the data is only unencrypted within the confines of the TEE. It enables you to secure sensitive data and applications when they’re being processed by the CPU,” Searle says.

The Fortanix CC solution is its Confidential Computing Manager, which acts as the middleware layer between enterprise applications and the underlying hardware and trusted execution environment. “For both on-premises and cloud deployments, the Manager also generates the necessary cryptographic proofs and validations required to attest that the information has been deployed securely and has been processed in accordance with legislative and organizational policy obligations,” Searle says.

The Role of Intel in Confidential Computing

Intel designed critical components needed for trusted execution environments, also known as “enclaves,” into its hardware/software solution stack:

  • Intel® Software Guard Extensions (Intel® SGX)
    Enables a protection perimeter around individual applications, allowing sensitive data to run securely and privately without needing to trust the underlying infrastructure and operating environment. Organizations can sandbox the software and data in a secure enclave using hardware-level encryption keys and trust certificates.
  • Intel® Trust Domain Extensions (Intel® TDX)
    Enables a protection perimeter around the Virtual Machine, allowing confidential computing with easy lift-and-shift functionality for existing virtualized workloads.

These technologies combine with 4th Gen Intel® Xeon® Scalable processors to enable a wider range of applications. “Modern processors like the 4th Generation Xeon are extremely powerful and have a large availability of memory for deployment of trusted execution environments so we can run very sophisticated enterprise-grade applications and AI systems,” Searle says. “I think that will facilitate growth in the adoption of confidential computing.”

Confidential Computing Use Cases

Confidential computing is especially useful for processing highly confidential data and where enterprises can’t guarantee the trust in the underlying infrastructure. Case in point: data migrations to the cloud “where you’re using someone else’s infrastructure platform and you don’t want the cloud administrators with root privileges to be able to access your information,” Searle says.

Use cases abound. For example, Fortanix is helping BeekeeperAI clients leverage confidential computing to securely deploy AI and ML models. BeekeeperAI helps researchers rapidly validate and iterate on models and enables secure collaborations among healthcare teams. And healthcare company Zuellig Pharma launched Digital Health Exchange, which uses confidential computing to enable data exchange across more than a dozen countries in the Asia Pacific region. “It’s another instance of how confidential computing can provide innovation in terms of data use and mobilization for different use cases,” Searle says.

While healthcare and finance are proving to be the initial testing grounds for confidential computing, implementations need not be restricted to these fields, Searle says. “The need to enhance your security posture really sets the scene for confidential computing,” he adds.

Next on the horizon: confidential computing use cases for edge AI. “We’re looking at how we can secure data at the edge in order to provide local processing on edge-based devices,” Searle says. The Fortanix Confidential Computing Manager can be pressed into service at the edge, too, because it takes care of hardware no matter where it is.

“The customer base is now receptive to the adoption of confidential computing; it’s going to lead to an increased demand for a deployment of the technology in specific use cases where data and applications need to be protected,” Searle says.

Whether that’s in the cloud or on the edge.
 

Edited by Georganne Benesch, Associate Editorial Director for insight.tech.

About the Author

Poornima Apte is a trained engineer turned technology writer. Her specialties run a gamut of technical topics from engineering, AI, IoT, to automation, robotics, 5G, and cybersecurity. Poornima's original reporting on Indian Americans moving to India in the wake of the country's economic boom won her an award from the South Asian Journalists’ Association. Follow her on LinkedIn.

Profile Photo of Poornima Apte
Follow on Twitter Follow on Linkedin Visit Website More Content by Poornima Apte