Undoubtedly, cloud computing is a mainstay in the enterprise.
Still, the increased adoption of hybrid and public clouds, combined with continued security breaches from both inside and outside forces, leave many with lingering concerns about cloud security. And rightly so.
This makes it all the more critical to have advanced, 21st-century privacy safeguards in place – even as this has often proved problematic in the security space.
“At a high level, cybersecurity has largely taken an incremental form, leveraging existing traditional tools in response to new attacks,” said Eyal Moshe, CEO of HUB Security.
But this is a “costly and unwinnable” endeavor, he pointed out, given the “determination and resources of malicious players” who can reap massive profits. Therefore, a “security paradigm shift is needed that incorporates traditional defenses but also simultaneously assumes they will not work and that every system is always vulnerable.”
The solution, he and others say: Confidential computing, an emerging cloud computing technology that can isolate and protect data while it is being processed.
Closing the security gap
Before an app can process data, it goes through a decryption in memory. This leaves data briefly unencrypted – and therefore exposed – just before, during, and just after its processing. Hackers can access it, encryption-free, and it is also vulnerable to root user compromise (when administrative privileges are given to the wrong person).
“While there have been technologies to protect data in transit or stored data, maintaining security while data is in use has been a particular challenge,” explained Justin Lam, data security research analyst with S&P Global Market Intelligence.
Confidential computing seeks to close this gap, providing cybersecurity for highly sensitive information requiring protection during transit. The process “helps to ensure that data remains confidential at all times in trusted environments that isolate data from internal and external threats,” Lam explained.
How confidential computing works
By isolating data within a protected central processing unit (CPU) during processing, the CPU resources are only accessible to specially authorized programming code, otherwise making its resources invisible to “everything and anyone else.” As a result, it is undiscoverable by human users as well as cloud providers, other computer resources, hypervisors, virtual machines and the operating system itself.
This process is enabled through the use of a hardware-based architecture known as a trusted execution environment (TEE). Unauthorized entities cannot view, add, remove or otherwise alter data when it is within the TEE, which denies access attempts and cancels a computation if the system comes under attack.
As Moshe explained, even if computer infrastructure is compromised, “data should still be safe.”
“This involves a number of techniques of encryption, decryption and access controls so information is available only at the time needed, only for the specific user who has the necessary permissions within that secure enclave,” Moshe said.
Still, these enclaves are “not the only weapon in the arsenal.” “Ultra-secure firewalls” that monitor messages coming in and going out are combined with secure remote management, hardware security modules and multifactor authentication. Platforms embed access and approval policies in their own enclaves, including CPUs and/or GPUs for apps, Moshe said.
All told, this creates an accessibility and governance system that can be seamlessly customized without impeding performance, he said. And confidential computing has a wide scope, particularly when it comes to software attacks, protocol attacks, cryptographic attacks, basic physical attacks and memory dump attacks.
“Enterprises need to demonstrate maximum trustworthiness even when the data is in use,” said Lam, underscoring that this is particularly important when enterprises process sensitive data for another entity. “All parties benefit because the data is handled safely and remains confidential.”
Evolving concept, adoption
The concept is rapidly gaining traction. As predicted by Everest Group, a “best-case scenario” is that confidential computing will achieve a market value of around $54 billion by 2026, representing a compound annual growth rate (CAGR) of 90% to 95%. The global research firm emphasizes that “it is, of course, a nascent market, so big growth figures are to be expected.”
According to an Everest Group report, all segments – including hardware, software and services – are expected to grow. This exponential expansion is being fueled by enterprise cloud and security initiatives and increasing regulation, particularly in privacy-sensitive industries including banking, finance and healthcare.
Confidential computing is a concept that has “moved quickly from research projects into fully deployed offerings across the industry,” said Rohit Badlaney, vice president of IBM Z Hybrid Cloud, and Hillery Hunter, vice president and CTO of IBM Cloud, in a blog post.
These include deployments from cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat and IBM. Cybersecurity companies including Fortinet, Anjuna Security, Gradient Flow and HUB Security also specialize in confidential computing solutions.
Everest Group points to several use cases for confidential computing, including collaborative analytics for anti-money laundering and fraud detection, research and analytics on patient data and drug discovery, and treatment modeling and security for IoT devices.
“Data protection is only as strong as the weakest link in end-to-end defense – meaning that data protection should be holistic,” said Badlany and Hunter of IBM, which in 2018 released its tools IBM Hyper Protect Services and IBM Cloud Data Shield. “Companies of all sizes require a dynamic and evolving approach to security focused on the long-term protection of data.”
Furthermore, to help facilitate widespread use, the Linux Foundation announced the Confidential Computing Consortium in December 2019. The project community is dedicated to defining and accelerating confidential computing adoption and establishing technologies and open standards for TEE. The project brings together hardware vendors, developers and cloud hosts and includes commitments and contributions from member organizations and open-source projects, according to its website.
“One of the most exciting things about Confidential Computing is that although in early stages, some of the biggest names in technology are already working in the space,” lauds a report from Futurum Research. “Even better, they are partnering and working to use their powers for good.”
Enterprises always want to ensure the security of their data, particularly before transitioning it to a cloud environment. Or, as a blog post from cybersecurity company Fortinet describes it, essentially “trusting in an unseen technology.”
“Confidential computing aims to give a level of security that acknowledges the fact that organizations are no longer in a position to move freely within their own space,” said Moshe.
Company data centers can be breached by external parties, and are also susceptible to insider threat (whether through maliciousness or negligence). With public clouds, meanwhile, common standards can’t always be assured or verified against sophisticated attacks.
Perimeters that provide protection are increasingly easy to breach, Moshe pointed out, especially when web services serve so many clients all at once. Then there’s the increased use of edge computing, which brings with it “massive real-time data processing requirements,” particularly in highly dispersed verticals such as retail and manufacturing.
Lam agreed that confidential computing will be increasingly important going forward to demonstrate regulatory compliance and security best practices. It “creates and attests” trusted environments for programs to execute securely and for data to remain isolated.
“These trusted environments have more tangible importance, as overall cloud computing is increasingly abstracted in virtualized or serverless platforms,” Lam said.
Still, enterprises should not consider confidential computing an end-all-be-all.
Given the growing dynamics and prevalence of the cloud, IoT, edge and 5G, “confidential computing environments will have to be resilient to rapid changes in trust and demand,” he said.
Confidential computing may require future hardware availability and improvements at “significant scale,” he said. And, as is the case with all other security tools, care must be taken to secure other components, policies, identities and processes.
Ultimately, Lam pointed out, like any other security tool, “it’s not a complete or foolproof solution.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.