What Does Confidential Computing Mean?
Confidential computing is an emerging approach to cybersecurity that runs computational workloads in isolated, hardware-encrypted environments.
In a confidential computing architecture, all computations are carried out in an encrypted, hardware-based environment in the CPU called a trusted execution environment (TEE). Data and code cannot be viewed, added, removed or modified when it is within the TEE.
Confidential Computing enables organizations to isolate data in use so it is not exposed to the infrastructure processing it. This approach to security hardening protects data and code while they are being used by applications allows organizations to be more confident about running sensitive applications in the cloud.
Techopedia Explains Confidential Computing
One of the most notable benefits of confidential computing is that it allows users to improve security in a public cloud environment without having to make changes programmatically.
Confidential computing cannot be bypassed since it is not a perimeter security and it does not run on a potentially vulnerable operating system (OS), virtual machine (VM) or software container. Even if a threat actor manages to compromise a public cloud provider's infrastructure, encrypted data in use will remain secure because it is air gapped and logically decoupled from the rest of the provider's infrastructure. If an attacker hacked a system to gain root access, they would be unable to read the data.
How Confidential Computing Works
With confidential computing, each processor has an encryption key built into it and the CPU's firmware sets aside a section of a computer’s memory as a secure, protected enclave referred to as a Trusted Execution Environment (TEE).
The TEE isolates data and runtime code from the main operating system. The encrypted data can only be decrypted in that specific memory enclave on that particular CPU. If an unauthorized entity attempts to access the TEE, it stops processing and issues an alert. Supporting technology can be used to extend the runtime encryption to data in transit and data at rest.
Confidential computing can provide protection from unauthorized access through stolen credentials by requiring a second approval.
Confidential computing ensures the confidentiality and integrity of data during processing. This hardware-based approach has the potential to lighten the security burden for both software development and IT operations management teams. The only way to gain access to data and code while it is in a trusted execution environment is through trusted applications and users.
Another advantage is that instead of embedding a master key (secret zero) in code, developers can have the CPU generate a hash and digitally sign it. Once the signature is validated, it can be used as a security token to provide third parties with attestation that the data and code has not been tampered with.
Confidential Computing vs. End-to-End Encryption
Until recently, end-to-end encryption security systems have not really been end-to-end; historically, they have only protected data at rest and data in transit. In contrast, confidential computing security systems protect data while it is being processed.
Confidential Computing vs. Homomorphic Encryption
Homomorphic encryption is a software-based approach to performing computations on encrypted data without first having to decrypt it. Like confidential computing, a homomorphic cryptosystem uses public key (asymmetric) cryptography. Its use is restricted, however, because this approach to protecting data in use only supports a limited number of computations (mathematical operations).
Future of Confidential Computing
This emerging technology is expected to quickly become a mainstream requirement for business sectors like finance and government that use and share sensitive data. Some European countries already require organizations in the healthcare sector to use confidential computing platforms because the personally identifiable information (PII) contained in health records is attractive to cyber criminals.
As confidential compute evolves, it is expected to become a standard for cloud security and before long, everyone will expect their compute environments to have the level of security that confidential computing provides. Documents that contain social security numbers and data related to medical care, banking and personal finance are all high priority items for attackers and deserve to be protected in the cloud by a confidential computing platform.