At the very beginning, when the internet and the IT ecosystem was evolving, functionality took precedence over security. With time the maligned players emerged, targeting the ecosystem components and participants. In parallel, the pioneers of the IT industry kept adding defence layers to make the system more robust and secure. Encryption was utilized widely at various levels which made the internet and IT a safer place. This friction is perpetual, so the IT protagonists must keep looking for the security gaps and solutions to plug them.
At present, governments and associations are fabricating extensive regulatory measures around data handling and security by imposing hefty fines making ‘end-to-end data security’ an essential requisite. End-to-end data security implies that the data should remain secure and confidential in all its states i.e., data at rest (data kept in various types of storages), data in transit (data moving through the network) and data in use (data being processed in memory).
Currently, data at rest and data in transit are fully secured via encryption techniques and data handling practices. The missing piece is the security of data-in-use where the industry is still struggling. Let’s have a brief glance at the currently existing security protocols for these data states and identfiy what is missing.
THE MISSING PIECE- SECURE DATA-IN-USE
Security strategists must define their strategy to cover the security of all three states of data. The industry has enough mechanisms and techniques to protect data at rest and data in motion. Data at rest is protected using storage and database encryption techniques under Advance Encryption Standards (AES), firewalls, antivirus, and antimalware, etc. Similarly, data in motion is secured by using TLS (Transport Layer Security), SSL (Secure Socket Layer), and HTTPS (Hyper Text Transfer Protocol Secure) protocols.
The third state of data i.e., data-in-use is the one that is prone to attacks. The encrypted data needs to be decrypted before its being processed in the memory. This unencrypted data can be targeted by placing malicious programs in memory altering the processing algorithm itself, or by access to sensitive data by malicious entities.
Confidential Computing is an emerging technology plugging this last data security gap. The technology was marked under Innovation Trigger (on-the-rise) of Gartner Hype Cycle 2020.
CONFIDENTIAL COMPUTING IN BRIEF
Confidential computing involves data protection when it is being processed. In this case, data protection is rendered by performing the computation in an isolated environment which is known as Trusted Execution Environment (TTE that exists in CPU (hardware or cloud based).
In this case, data remains encrypted throughout its journey except for the time it is being processed. The encoded program in the TEE decrypts the data itself inside the enclave using embedded hardware keys. Even users with root access or cloud providers do not have access to the decrypted data inside TEE.
WHY AND WHERE IN THE INDUSTRY
Let us check the key areas in the industry which can be transformed by using confidential computing.
THE CLOUD INDUSTRY
Businesses are moving ahead by migrating workloads to the cloud. But many businesses, especially the ones which fall under ‘regulated’ industries, are hesitant to do so since they are not fully convinced about the end-to-end security of their data. On the cloud, control on data is lost leading to security threats such as malicious system admins and insiders and/or malware attacks while the data is being processed.
The greatest challenge lies in handling sensitive data which is being exposed to malefic intruders while it is in processing state.
How Confidential Computing can help.
Confidential computing will plug the existing security gaps where data in use is exposed and prone to attacks.
Cloud computing will gradually move to secure, encrypted platforms, ensuring that user’s sensitive data is not exposed to any intruder including cloud providers themselves.
Imagine being able to collaborate on a genomic study or a vaccine discovery project with participants across geographies including competitors, while maintaining the confidentiality of sensitive health information.
There are endless exciting possibilities we can imagine. But as of now, there are limitations on partners/alliances/ consortiums to share data and collaborate efficiently. This is due to the lack of trust and uniform security & confidentiality of data being shared.
How Confidential Computing can help.
Confidential computing will ensure that there is total security and confidentiality throughout the data handling process. The unique encryption keys are not accessible to any entity or person. It resides in the program embedded within the enclave and ensures that even users with the root access can’t access the decrypted data while it is being processed. This full-proof mechanism will eventually foster trust among participants and mitigate the fear of data mishandling.
Confidential computing along with other technologies such as blockchain will establish a new era of data sharing and collaboration.
DATA PROTECTION LAWS AND COMPLIANCES
Every legislative body working around data protection is continuously revising data security laws in place. In parallel, new regulations and compliances are being added to existing laws owing to the rapidly changing data-ecosystems.
Hefty fines are involved when the laws are violated.
The maximum monetary sanction under GDPR is set at €20 million or 4% of global turnover. Fines are imposed in addition to or regardless of other remedies, such as an order to stop the violation, a directive to modify data processing to comply with the GDPR, or to enforce a temporary or permanent restriction including a data processing ban.
How Confidential Computing can help.
Confidential Computing guarantees that while handling and processing the data, there are no security loopholes where data can be breached. The data can be encrypted at levels that even the company itself cannot access the data throughout its journey.
It will also provide several companies a way to process and analyse the sensitive/ personal data stored in their vault without even accessing and viewing it and develop insights for improved products and services.
Confidential computing is gaining momentum in the industry because it is a necessity and a solution to problems that have blocked many exciting potential use cases.
To proceed with, one can evaluate the Trusted Execution Environments (TEE) developed by chip manufacturers and proceed as per their use case. Almost all the cloud providers have confidential computing enabled VMs in their product portfolio. One can also evaluate the services and solutions offered by major IT service providers to implement confidential computing in an efficient manner.
A consortium named as ‘Confidential computing Consortium’ has also been launched in 2019 under Linux Foundation, which aims to research and define technical and regulatory standards for confidential computing. It will foster the development and adoption of open source tools.
Confidential computing is a much-needed transformational technology that can have a practical impact on businesses and our lives as well. Very soon we will start seeing it as a part of every enterprise data strategy.