Why confidential computing will be critical to (not so distant) future data security efforts

Confidential computing, a hardware-based technology designed to protect data in use, is poised to make significant inroads in the enterprise — just not yet, security experts say.

But it will be an important tool for enterprises as they more frequently use public and hybrid cloud services because confidential computing provides additional assurance for regulatory compliance and restriction of cross-border data transfer, says Bart Willemsen, a vice president analyst at Gartner. 

“I think we’re in the very, very early stage,’’ Willemsen adds, noting that “in ‘Gartner speak’ it’s very left on the hype cycle, meaning the hype is just getting potentially started. We have a long way to go. Chip manufacturers are making several adjustments to projects [along] the way.”

Protecting data in use

But once implemented, it will be a game changer. Confidential computing will help enable enterprises to retain an even greater degree of control over their data by protecting the data while it is in use, said Heidi Shay, a principal analyst at Forrester.

“What is different here is that this approach protects the confidentiality and integrity of data, as well as the application or workload in system memory,” she said.

Securing data in use is the next frontier, she says, going beyond measures to protect data while at rest or in transit. 

“Confidential computing, specifically as an approach to securing data in use, protects against a variety of threats, including attacks on software and firmware and protocols for attestation, workload and data transport. It raises the bar for protection, especially when data integrity threats [such as] data manipulation and tampering are a concern.”

In the next decade, confidential computing will transition from a mostly experimentation phase of protecting highly sensitive data to becoming more of a default for computing, said Willemsen.

“Over time, the minimum security and data protection hygiene levels will come to include confidential computing-based data clean rooms where organizations can combine information and process it or conduct analytics on it in a closed, protected environment without compromising data confidentiality,’’ he said.

A boon to compliance

This will be significant in helping organizations comply with regulatory requirements, especially European organizations, because it will provide assurance about the confidentiality of data and protect it in cross-border transfers in cloud computing, said Willemsen.

For example, Microsoft offers the use of confidential computing chips in Azure, he notes. “They facilitate the hardware as long as the information will be processed in those enclaves, and the confidentiality of that data is more or less assured to European organizations, protecting it from being accessed even by the cloud provider,” he said.

The level of robustness in protection that confidential computing will offer will depend on which infrastructure-as-a-service (IaaS) hyperscale cloud service provider you go with, Willemsen notes. 

Because threat vectors against network and storage devices are increasingly thwarted by software that protects data in transit and at rest, attackers have shifted to targeting data-in-use, according to the Confidential Computing Consortium (CCC).

The CCC was not established as a standards organization, but began working on standards in 2020, according to Richard Searle, VP of confidential computing at member organization Fortanix. Membership is comprised of vendors and chip manufacturers and also includes Meta, Google, Huawei, IBM, Microsoft, Tencent, AMD Invidia and Intel.

The consortium has established relationships with NIST, the IETF, and other groups responsible for standards definition to promote joint discussion and collaboration on future standards relevant to confidential computing, said Searle.

Confidential computing and homomorphic encryption

There are different techniques and combinations of approaches to secure data in use. Confidential computing falls under the “same umbrella of forward-looking potential use mechanisms” as homomorphic encryption (HME), secure multiparty computation, zero knowledge and synthetic data, said Willemsen.

Shay echoes that sentiment, saying that depending on use case and requirements, HME is another privacy-preserving technology for secure data collaboration.

HME is the software aspect of protecting data in use, explained Yale Fox. It lets users work on data in the cloud in encrypted form, without actually having the data, said Fox, a CEO of software engineering firm Applied Sciences Group and IEEE member.

“We’re always thinking about what happens if a hacker or a competitor gets your data, and [HME] provides an opportunity for companies to work on aligned goals with all the data they would need to achieve it without actually having to give the data up, which I think is really interesting,’’ said Fox.

The technologies are not just relevant for CISOs, but CIOs, who oversee the people responsible for infrastructure, he said. “They should work together and they should start experimenting with instances available to see what [confidential computing] can do for them.”

Not just ‘plug and play’

The differences in hardware and the ways in which it is used in tandem with software, “make for a great difference in the robustness of the security provided,’’ said Fox.

IaaS providers will not all have the same level of protection. He suggests that companies determine those differences and familiarized themselves with the risks — and the extent to which they can mitigate them.

That’s because confidential computing is “not plug and play,” said Fox. Interacting with secure enclaves requires considerable specialized technologies. 

“Right now, the biggest risk … is in implementation because, depending on how you structure [a confidential computing environment], you’re basically encrypting all your data from falling into the wrong hands — but you can lock yourself out of it, too,’’ he said. 

While confidential computing services exist, “HME is a little too bleeding edge right now,” said Fox. “The way to mitigate risk is to let other companies do it first and work out the bugs.” 

Both the data that is being computed and the software application can be encrypted, he said.

“What that means is, if I’m an attacker and I want to get into your app, it’s much harder to reverse engineer it,” said Fox. “You can have pretty buggy code wrapped in HME and it’s very hard for malware to get in. It’s kind of like containers. That’s what’s interesting.”

Looking ahead: Confidential computing and its role in data security 

Confidential computing technology is now incorporated into the latest generation of processors offered to cloud and data center customers by Intel, AMD and Arm, according to Fortanix’s Searle. NVIDIA has also announced the development of confidential GPUs, “and this will ensure that confidential computing capability is a ubiquitous feature across all data processing environments,’’ he said.

Right now, rather than being deployed for specific workloads, “in the near term, all workloads will be implemented using confidential computing to be secure-by-design,’’ said Searle. “This is reflected by the market analysis provided for the CCC by Everest Group and the launch of integrated confidential computing services by the hyperscale cloud providers.”

While different privacy-enhancing technologies are often characterized as being mutually exclusive, Searle says, it is also likely that combining different technologies to perform specific security-related functions within an end-to-end data workflow will provide the data security envelope that will define future cyber security. 

It behooves cloud service providers to demonstrate that while they facilitate infrastructure they do have access to their customers’ information, said Willemsen. But the promise of confidential computing is in the additional level of protection, and the robustness of that protection, which “will give you more or less, guarantees,’’ he said.

Fox calls confidential computing “the best thing to happen to data security and computing security probably since … I’ve been alive.”

He has little doubt there will be enterprise adoption because of the high value it provides, but like Willemsen, cautions that adoption will be slow because of user resistance, much like it is with multifactor authentication (MFA).

Consortium member Nataraj Nagaratnam, who is also CTO of IBM’s cloud security division, says that given the complexities of implementing confidential computing, he thinks it will be another three to seven years before it becomes commonplace. “Currently, different hardware vendors approach confidential computing a little differently,’’ Nagaratnam says. “It will take time for upstream layers like Linux distributors to integrate it, and more time for an ecosystem of vendors to take advantage of it.”

Additionally, migrating from an insecure environment to a confidential computing environment is a pretty big lift, Fox note. “Some upgrades are easy and some are hard, and this looks like the hard side of things. But the return on your efforts is also massive.”