Data security in the cloud is a concern for companies and is slowing down adoption. The situation is becoming more acute due to the increasing emergence of AI/ML and IoT workloads. Cloud providers want to remedy this with confidential computing.
Cloud providers offer their users the option of securing data in transit and at rest as part of their storage services. These measures may be sufficient for data with low confidentiality requirements. However, a certain potential for data breaches exists even during data processing in the cloud (data in use).
Before an application can process data it must find it in memory in plain text. This means that the data is not protected against misuse immediately at the time of processing . As well as shortly before and after: memory dumps. Root user errors and a variety of malicious exploits and vulnerabilities such as Spectre and Meltdown represent a persistent threat. The situation is particularly serious in the cloud (see the section “The illusion of shared responsibility” below).
With a solution called Confidential Computing, cloud providers want to effectively counteract the risk of unauthorized access to data from running workloads.
Confidentially encrypted
Confidential computing can be used to protect data during processing. The approach is designed to effectively prevent unauthorized access to confidential information in a virtual machine. Even in the event of a successful break-in attempt. Confidential computing makes use of technical precautions that have been implemented in the hardware of the host system in question: the so-called trusted execution environment (TEE) of the CPU.
Confidential computing isolates confidential data during Panama Phone Number List processing in the trusted execution environment within the CPU, a so-called protected CPU enclave. The contents of this enclave – i.e. the data to be processed – and the techniques for handling this data are secured with embedded cryptographic keys and are only accessible to authorized application code. For all other accesses by the operating system (or the hypervisor in the case of a virtual machine) – even if initiated by the cloud provider – the data remains invisible. The data in question is protected in the main memory until the application in question requests decryption by the TEE. In contrast, an attempt to access it by unauthorize or manipulate code leads to the calculation being abort.
Confidential computing currently requires specially adapt applications that can handle the in-memory processing of encrypt data. Such an application is divid into two types of components.
Creating safe enclaves
All leading cloud providers are in a frenzy when it comes to confidential computing. At the end of 2019, a group of CPU manufacturers. Cloud providers and software developers came together cell phone number listing and found an organization to promote confidential computing under the auspices of the Linux Foundation: the Confidential Computing Consortium (CCC). CCC’s goal is to enable in-memory processing of encrypted data in hybrid environments so that companies can move their workloads and data back and forth between cloud, on-premises and edge environments as need.
The founding members of CCC include AMD
Fortanix, Google, IBM/Red Hat, Intel, Microsoft, Oracle, Swisscom and VMware. As well as the Chinese technology conglomerates Alibaba. Baidu and Tencent. Intel has contribut its own Software Guard Extensions SDK (Intel SGX) to the consortium. The Open Enclave Software Development Kit (OE SDK) and Enarx are also being developed within the framework of the CCC.
Open Enclave is a collection of libraries for developing Bulk Database TEE-enabled applications based on a unifi abstraction in a universal platform model. Enarx is an open source system for deploying applications in Trust Execution Environments (TEEs). Enarx uses technologies such as Web Assembly to enable the execution of unmodifi application code in protect runtime environments. Known as keeps. On untrust hardware – for example in the cloud.
