By Bruce Kornfeld
In computing, data exists in three states: in transit, at rest and in use. Data moving across the network is “in transit,” data residing in some type of storage is “at rest,” and data being processed is “in use.”
As cyberthreats targeted toward network and storage devices are increasingly thwarted by protections that apply to data in transit and at rest, attackers have shifted their focus to data in use. Common attack vectors include memory scraping, CPU side-channel attacks and malware injection.
Confidential Computing is the protection of data in use, through hardware-based Trusted Execution Environments (TEEs). A TEE is defined as an environment that provides a level of assurance of data integrity, data confidentiality and code integrity.
Security strategists must consider all the different layers of possible intrusion. If one layer is compromised (such as data in use), then other layers (data at rest, data in motion) could be impacted. Confidential Computing is closing the last “hole” that intruders could infiltrate and will significantly strengthen any organization’s overall security strategy.
The rise of Confidential Computing
While organizations have been striving to protect data with many security strategies for decades, Confidential Computing is a first of its kind solution, with no previous alternative. It’s an innovative way to shore up another potential weakness in an organization's data protection strategy. Major advancements in processor and memory chip design are enabling more functionality to be built into standard processing chip sets, and are thus beginning to drive the rise and adoption of Confidential Computing solutions.
When any new technology enters the market, it is typically complex at first but soon evangelized by the tech community and experts in its particular niche. Confidential Computing is still in the early adoption phase and lacks a standard way to be implemented. Multiple vendors are positioning it in many different ways, which can be confusing to the average security IT professional, yet exciting at the same time.
A good security analogy that outlines a similar adoption speed can be found in the key management space. Before the introduction of the key management interoperability protocol (KMIP), each encryption solution deployed by an organization would need a proprietary integration to some form of encryption key manager. While this was complicated and confusing initially, the kinks were eventually resolved.
Current key management solutions that have adopted KMIP are now simple to implement and use and are more affordable. Like key management and many other technologies before it, Confidential Computing technology adoption is expected to follow a similar path.
As the Confidential Computing market develops, we will see significant changes in the next three to five years. Initially, each use case will likely have a slightly different implementation that will require its own hardware at the chip level, as well as software to manage it.
In this timeframe, it’s reasonable to expect that customer demand will force the chip manufacturers to standardize so that end users have one method for securing their data in use. This will force the software industry to quickly innovate and improve the manageability and compatibility of Confidential Computing, so that it will more easily fit into existing security management frameworks and become more readily available.
How to enter the Confidential Computing space
Since Confidential Computing is just hitting the mainstream today, IT security professionals should investigate ways to deploy TEEs for their most critical corporate or government applications, knowing that they may have to deal with multiple different implementations, depending on the hardware vendor used for a particular application.
For example, if the TEE is run in a data center, management will need to be provided by the organization's hardware vendor. These TEEs use hardware-backed techniques, like secure enclaves, to provide increased security guarantees for the execution of code and protection of data within that environment. Examples of hardware-based enclaves include trusted platform modules (TPMs), Intel’s Secure Guard Extensions (SGX), ARM’s Trustzone and AMD’s Secure Encrypted Virtualization (SEV). Companies that use the cloud, however, typically need to turn to different TEEs hosted as a service by their cloud provider. Those include Azure’s Confidential Computing, which uses Intel’s SGX, and Google Cloud Confidential Computing.
While HSMs can take advantage of Confidential Computing, they are still a separate piece of complex and expensive hardware that needs to be managed. Software-based key managers can run on any hardware that offers TEEs, to deliver the value of Confidential Computing at a fraction of the cost, yet with all of the value that comes from the protection that comes from hardware solutions.
Security is at the forefront of any IT strategy, and Confidential Computing will be the next technology to watch in the coming months and years.
Bruce Kornfeld is an experienced technology executive who has held leadership roles in marketing, product management, alliances and business development in the storage, server, networking and security industries. He joined StorMagic in 2017, and serves as chief marketing and product officer, where he is responsible for all aspects of global marketing, product management and alliances for the company.