Stefan Liesche, Distinguished Engineer at IBM, explains how Confidential Computing is dispelling distrust around cloud security
Not all Confidential Computing solutions deliver the same levels of security and flexibility.
Businesses have been forced to shift vast amounts of data and workloads into the cloud in response to the global pandemic but concerns around privacy and security remain.
Moving data to the cloud delivers an array of verified storage and access benefits; it’s therefore little wonder that enterprises of all sizes have developed and adopted cloud strategies in response to the upheaval caused by the Covid-19 pandemic. The measures taken in response to the virus, particularly the increase in remote working, have triggered an unparalleled surge in digital data that needs to be stored, transmitted and processed, safely and reliably.
For many businesses today, it is no longer a question of if cloud migration is appropriate — according to a recent IBM IBV study, 74% of CEOs think adoption of cloud will be critical for their businesses in the next two to three years. Instead, the question is how they can optimise mission-critical workloads while maintaining the highest levels of security.
At the centre of this assessment is a growing awareness that cloud security can be variable. That’s why businesses are starting to look at new security innovations such as Confidential Computing.
Safeguarding vulnerable data
In a standard cloud configuration, data is encrypted when it’s ‘at rest’ or ‘in transit’ but the moment that data is processed it is decrypted, leaving it potentially vulnerable. The evaluation of business-critical data migrating to the cloud has increased since the start of the pandemic, heightening concerns about this weakness.
Confidential Computing solves this problem in hybrid cloud environments by directing data in use into a hardware-based Trusted Execution Environment (TEE), an area separated from other workloads. Data remains encrypted right up until the application notifies the TEE to decrypt it for processing.
Put simply, confidential computing offers a securely locked workspace within a hybrid cloud that is entirely shielded from view. If malware or other unauthorised code attempts to read the decrypted data, then the TEE simply denies access.
How can vendors and end users ensure cloud security?
Collaboration without compromise
Confidential Computing offers a number of additional advantages that go beyond simple safeguarding. By ensuring that data is processed in a shielded environment it is possible to securely collaborate with partners without compromising IP or divulging proprietary information.
For example, one company can open up its data to another company’s proprietary tools without either of them sharing anything they want to protect, such as any commercially sensitive intellectual property. A bank and a retailer, for instance, could cross-check transaction records to identify possible fraud without either party giving access to commercially sensitive data.
Until now, many enterprises have held back from migrating some of their most sensitive applications to the cloud because of worries about data exposure. Confidential computing addresses this hurdle; not only is data protected during processing, companies can also securely and efficiently collaborate with partners in the cloud.
The key to privacy
For businesses migrating workloads into the cloud, a major concern is the ability to provide security for customers and continued compliance with EU data privacy regulations. This is especially the case where businesses are the stewards of sensitive data, such as healthcare information or bank account numbers.
An important feature of Confidential Computing is its use of embedded encryption keys, which locks data in a secure enclave during processing. This keeps it concealed from the operating system as well as any privileged users i.e. administrators or site reliability engineers.
At IBM, we go a step further, supporting a Keep Your Own Key (KYOK) feature that gives owners sole access to their encrypted data; not even the cloud provider can access it. Our family of Hyper Protect Cloud Services is also the only industry solution built on FIPS 140-2 Level 4-certified hardware, the highest existing standard for hardware cryptography modules.
Mission critical cloud safety
The growth of cloud workloads has been tempered by legitimate concerns about data privacy. Now businesses are better equipped to address those worries with sophisticated encryption technologies. By protecting data in use, Confidential Computing enables extremely sensitive data to be processed in a hybrid cloud. It is also empowering multi-party sharing scenarios that have previously been difficult to establish due to privacy, security and regulatory requirements.
What remains clear is that the upheaval caused by the global Covid-19 pandemic continues to shape how and where businesses use their data. Confidential Computing’s use of hardware-based techniques to isolate data in use will therefore continue to gain importance as hybrid cloud services become more widely adopted.
However, not all Confidential Computing solutions deliver the same levels of security and flexibility. Businesses should therefore only work with a cloud provider that offers a service that best meets their technical and business requirements, without compromising on security.