Confidential Computing: A Key To Secure Cloud And Edge Environments

Security focus widens to include protecting data in use and privacy compliance.

popularity

Historically, data security was primarily focused on safeguarding data residing within systems controlled by the users themselves, such as on-premise storage and server infrastructure. In such a siloed environment, information stored on the storage media, Data-at-Rest, was encrypted to ensure security. Data-in-Motion (aka Data-in-Transit) was safeguarded by encrypting it before transmitting it over the network.

As organizations are increasingly migrating their workloads to hybrid environments or to third-party cloud service providers, their workloads increasingly run on infrastructure that they do not own or fully trust. While encryption still secures Data-at-Rest and Data-in-Motion, it needs to be decrypted before it is used by the processor and this Data-in-Use becomes vulnerable and susceptible to side-channel attacks, malware injection, memory scraping, etc.

The traditional data security model protects data where it is stored and when it is in transit. However, the traditional model fails to protect data while it is being processed. Confidential Computing provides a comprehensive protection model across the data lifecycle, whether Data-at-Rest, Data-in-Motion or importantly Data-in-Use.

Confidential Computing is the protection of Data-in-Use by performing computation in a hardware-based, attested Trusted Execution Environment (TEE). A TEE is a secure area within a processor that prevents unauthorized access or modification of data. Verification of the TEE’s security is achieved through a process called attestation, which ensures the environment is isolated and running the correct, trusted code.

The foundation of the TEE is called a Root of Trust (RoT), which is based on a secure key unique to each processor. The processor uses this RoT to confirm it has the proper firmware before initiating a secure boot process. This process generates reference data to confirm that the processor is in a verified, secure state, ready to begin processing.

Once the processor has established a TEE, user applications can run within this secure enclave. Encrypted data is brought into the TEE, decrypted, processed, and then re-encrypted before being transmitted. At no point is the machine owner, or any external entity, able to view or access the user’s code or data.

Within a TEE, both the data and code remain invisible to all external parties, including the cloud provider, virtual machines, and operating systems. TEEs protect all three elements essential to data security: 

  • Data Confidentiality: unauthorized entities cannot view Data-in-Use within the TEE.
  • Data integrity: unauthorized entities cannot add, remove, or alter Data-in-Use within the TEE.
  • Code integrity: Unauthorized entities cannot add, remove, or alter code executing in the TEE.

The benefits of Confidential Computing go beyond the protection of Data-in-Use to reduce the risk of data breaches and unauthorized access. Confidential Computing also enables privacy compliance to help organizations meet stringent data privacy and security regulations, which is especially critical in sectors like health, finance and government. In addition, it enables secure multi-party collaboration to allow multiple parties to collaborate on data analysis or machine learning models without exposing sensitive data to the other parties.

Rambus can enable customers to implement a Confidential Computing architecture with our wide portfolio of security solutions including but not limited to hardware Root of Trust IP solutions, Inline Memory Encryption solutions, and Security Protocol Engines. The Rambus Secure Programmable Root of Trust products help establish a TEE with a dedicated on-chip and isolated memory. Furthermore, the Rambus Inline Memory Encryption portfolio helps protect the Data-In-Use, while the Security Protocol Engine portfolio helps secure Data-In-Motion. Based on the specific segment in which the solution is deployed, customers have the flexibility to select features tailored to that segment. This allows customers procure the necessary certifications, ensuring a successful entry into their targeted segments.



Leave a Reply


(Note: This name will be displayed publicly)