The need for the confidentiality of sensitive data is an obstacle to the widespread use of the public cloud. So-called “end-to-end” encryption systems are misnamed. While they protect data at rest – i.e. stored in databases – and data in transit over networks, the encryption does not apply to data being processed. To be processed by an application, it must be decoded. This makes it momentarily vulnerable to targeted threats such as the compromising of a server or exploitation of weaknesses in an application.
An airlock to isolate sensitive data
Confidential computing aims to ensure the confidentiality and possibly the integrity of data during processing. It does this by using Trusted Execution Environments (TEEs), i.e. secure areas that isolate data and runtime code from the main operating system. These environments cannot be accessed, modified or compromised by a malicious agent. They incorporate their own encryption keys and authentication mechanisms. If unauthorized runtime code or malware attempts to access the keys, the TEEs abort the processing.
Confidential computing is based on both software and hardware. A trusted application running in TEEs must access the hardware resources – the processor, memory, computing power (CPU) – of the server hosting it.
Confidential computing aims to persuade companies to migrate their sensitive applications and data to the public cloud.
Removing the last barriers to the public cloud
Confidential computing players want to persuade companies to migrate their most sensitive applications and data to shared public cloud infrastructures to achieve gains in agility and scale. Gartner has identified Privacy-Enhancing Computation (PEC) as one of the technology trends for 2022.
The creation of isolated trusted environments encourages the use of the multicloud by ensuring that data is encrypted during processing, regardless of the cloud chosen, and contributes to the growth of edge computing. With this cloud at the edge, data processing is done as close as possible to connected objects (IoT) without having to transfer data to the cloud. A trusted environment ensures the confidentiality of this local processing.
The confidential computing approach can encourage collaboration between companies by protecting intellectual property. ICT Journal cites the example of a hospital sending X-rays to one service provider’s cloud to be analysed by another provider’s artificial intelligence algorithm, without any of the three organisations having access to the others’ information.
A fast-growing market
According to a study by the Everest Group research firm, the market for confidential computing is growing by 90 to 95% per year; representing nearly $2 billion in 2021, it could thus reach $54 billion by 2026. This is likely to be largely driven by the highly regulated sectors of banking, insurance and health.
Semiconductor manufacturers (Intel, ARM, AMD, NVIDIA) and cloud giants (Microsoft, Google, Oracle, IBM) are positioning themselves in this market. These players participate in the Confidential Computing Consortium, an open source community at the Linux Foundation that has been working since 2019 to define the standards for confidential computing and accelerate its adoption.
Hyperscalers (the largest cloud providers) are already marketing confidential computing as a service offerings, in the form of “application enclaves”. Microsoft Azure began offering confidential virtual machines to protect data during processing in April 2020. A few months later, Amazon Web Services followed suit with its Nitro Enclaves solution based on its EC2 storage service. More recently, Google Cloud launched a beta version of its Confidential VMs based on Compute Engine, its IaaS (Infrastructure as a service) offering.
These cloud offerings are based on hardware architectures specifically dedicated to confidential computing. Chip manufacturers have developed trusted execution environments based on an inaccessible key stored in their processors. These include TrustZone, Software Guard Extensions (SGX) and Secure Encrypted Virtualization (SEV) designed by ARM, Intel and AMD respectively.
As most cloud providers and semiconductor manufacturers work within the Confidential Computing Consortium, all of these systems must be based on open source building blocks – thereby ensuring sovereignty and interoperability.