Securing your data leveraging confidential computing

With the rapid adoption of cloud, many organizations have questioned the trust that has been put in the cloud providers. Some of the typical issues that have risen:

• May my data or the data of my client be leaked to other users of a public cloud provider?

• Will the cloud provider share my data following the orders of authorities?

• What if an employee of my public cloud provider turns rogue and extracts my data?

 The most appropriate solution for answering these questions is confidential computing.

Confidential Computing and its techniques

Confidential Computing is a security technique designed to protect data and computations from unauthorized access or tampering. It allows for secure processing and storage of sensitive data, even when it is being processed in untrusted environments, such as cloud or edge computing environments.

The Confidential Computing effort encompasses techniques in various domains. For example, isolating data and code, entrusting the environment of collaboration across different stakeholders, varying cloud solutions to protect both data and applications, as well as improving the hardware security to provide secure storage and cryptographic operations.

One of the main components of confidential computing are secure enclaves and trusted execution environments (TEEs) which will store all computations and unencrypted data. However, the enclave itself is encrypted and can only be decrypted during the execution by the CPU (Central Processing Unit) – therefore protecting its data from any kind of access including access to data in the RAM (Random Access Memory).

The encryption keys themselves on the other hand can be either stored directly within the CPU or externalized. Depending on the technology that has been chosen, keys may be stored in two different ways:

• Hardware Security Modules (HSMs): HSMs are specially designed hardware devices that provide secure storage and cryptographic operations. They allow you to store your keys in a secure manner and can be kept within your premises.

• Managed key vaults: Managed key vaults are virtualized HSMs that protect cryptographic keys, certificates etc. However, a managed key vault runs at the cloud solution provider and does therefore only provide limited coverage from a security perspective.

 Adapted confidential computing models

While there are several providers for Confidential Computing technology including Intel and AMD, their implementation by various cloud providers differs. The two most popular cloud providers that have implemented confidential computing are Microsoft Azure and Google Cloud.

Microsoft Azure bases its technology on Intel Software Guard Extensions (SGX), deployed on dedicated hardware and supports both Windows and Linux as operating system. Microsoft is also working on the implementation of Intel Trust Domain Extension (TDX) which leverages virtualisation of enclaves. On the other hand, Google Cloud’s confidential computing model is a combination of hardware-based security technologies, including AMD Secure Encrypted Virtualization (SEV) and Intel SGX, and the service is virtualised and supports only Linux as operating system.

Quite typically, the following services can be deployed leveraging confidential computing:

• Confidential Virtual Machines (VMs): Confidential VMs isolates the data and application with encryption keys that are generated during the VM creation and reside either within the chipset itself or can be externalized.

• Confidential Databases: Confidential DBs rely on confidential VMs and also implement always-encrypted technology.

• Confidential Containers: Confidential containers are a type of containerization technology to further secure your standard container workloads and provides kubernetes on a confidential virtual machine.

Telindus and its cloud experts help you to select the most suitable Confidential Computing solutions. Do not hesitate to contact us for additional information.