Confidential computing – the next frontier in security
Confidential computing provides the opportunity for businesses to encrypt their data while in use, rather than just in transit or rest. Could it become as ubiquitous as SSL?
Confidential computing is an exciting and relatively new technology that adds another level to information security. Until now data could only be encrypted at rest or during transit, but this hardware-based technology enables data to be encrypted while being processed.
“Confidential computing is a technique for securing data while in use by creating secure spaces that users rather than administrators’ control,” says Martin O’Reilly, director of research engineering at the Alan Turing Institute. “The idea is to create a trusted execution environment (TEE) or secure enclave, where the data is only accessible by a specific application or user, and only as the data is being processed.”
The term is only now starting to be recognised within the industry, promoted by a community of hardware vendors, cloud providers and software developers known as the Confidential Computing Consortium (CCC). A project community at the Linux Foundation, it's focused on accelerating the adoption of TEE technologies and standards.
Improving cloud security
As it stands, the CCC may have quite an easy time promoting confidential computing – the technology’s being propelled by the need for end-to-end encryption and growth of cloud computing. In particular, TEEs are being touted as the next step for hybrid cloud environments that limit access control to the data owner, rather than hosting provider.
“We’re still in the early days of adoption, but this could become one of the mainstream security platforms for cloud computing. There’s an urgent need to secure data when processed in cloud environments,” says Kevin Curran, senior member of the IEEE and a professor of cybersecurity at Ulster University.
Confidential computing’s ‘360-degree protection’ enables data to be processed within a limited part of the computing environment, giving organisations the ability to reduce exposure to sensitive data while also providing greater control and transparency, even allowing businesses to share data for joint processing securely. This represents a significant change, says O’Reilly, pointing out that the ability to create secure spaces where the user controls who has access to the data effectively replicates the trust companies might have in their own IT departments.
He notes, however, that the advantages should be weighed against the complexities involved in setting up and managing these technologies.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“The lack of universal availability and the added complexity of securing enclaves means that these incur an additional cost compared to other, currently conventional security measures including those run by cloud providers, which may be adequate for the security goals in question,” he notes.
Which sectors can benefit from confidential computing?
Confidential computing is of particular interest to sectors that handle sensitive personal, commercial or governmental data.
Early adopters include the health, research and government sectors, with the finance sector leading the way, says Dave Thaler, chair of the CCC’s Technical Advisory Council and a Microsoft software architect. “Take the chip and pin system used in credit and debit cards – the chips used there are confidential computing environments,” he points out.
The IT Pro Podcast: The secrets of confidential computing
What is confidential computing, and how can it help protect organisations?
DIA (Decentralised Information Asset) is an example of an early adopter – it recently implemented confidential computing into its open-source financial information platform in order to serve customers from more highly regulated industries that require a much higher level of security throughout the technology stack.
“Our solution is fairly tamper-proof, but there was a weakness because the computation on some cloud or on premise meant there were potential attack vectors. We fixed this with an IBM confidential cloud solution that ensures the compute cannot be tampered with by any third party, including the cloud provider. It’s a fundamental improvement to our product,” says Paul Claudius, co-founder and association member of DIA.
Should your business look into confidential computing?
All businesses dealing with data they need to secure should start to look at confidential computing within their security strategies, says Dr Alan Warr, consultancy specialist group chair at BCS, The Chartered Institute for IT. “They need to start working on how it applies to them, at the very least to ensure they don’t need to be an early adopter and risk being disadvantaged if they move too slowly.
“For many this will lead them to build this into their strategies, which are likely to involve research and early proof of concepts at this stage. For the minority, taking an early lead in adoption may be a worthwhile, or even essential, strategy,” he notes.
It’s also an opportunity to make more from the data you have, points out David Greene, head of the CCC’s Outreach Committee and head of sales and marketing at Fortanix.
“When I talk to customers, I ask them what data they have that they think has useful information that they haven’t been able to extract because the data has to stay so secure. If we think of data as the new gold, this can be a good motivation to think about what companies could do.”
Address multi-cloud configuration risks
Cloud security challenges and how to overcome them
Ubiquitous by 2031
Warr speculates that confidential computing may become ubiquitous in time, just as encryption of data at rest has become. “We may find that over the next 10 years IT professionals and end users will increasingly be using confidential computing,” he says.
Greene – and the wider CCC – agree with this view. “A few years back secure internet communication, HTTPS, was kind of a big deal. Now it’s everywhere. Same with SSL, first we focused on credit card transactions then at some point said, why not secure everything?
“The view of the CCC is that confidential computing has the same potential. We have the infrastructure and the tools, in the end there’ll be no reason not to protect data in this way.”
Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.