What Is Confidential Computing?

Cloud and edge networks are setting up a new line of defense, called confidential computing, to protect the growing wealth of data users process in those environments.

Confidential Computing Defined Confidential computing is a way of protecting data in use, for example while in memory or during computation, and preventing anyone from viewing or altering the work.

Using cryptographic keys linked to the processors, confidential computing creates a trusted execution environment or secure enclave. That safe digital space supports a cryptographically signed proof, called attestation, that the hardware and firmware is correctly configured to prevent the viewing or alteration of their data or application code.

In the language of security specialists, confidential computing provides assurances of data and code privacy as well as data and code integrity.

What Makes Confidential Computing Unique? Confidential computing is a relatively new capability for protecting data in use.

For many years, computers have used encryption to protect data that's in transit on a network and data at rest, stored in a drive or non-volatile memory chip. But with no practical way to run calculations on encrypted data, users faced a risk of having their data seen, scrambled or stolen while it was in use inside a processor or main memory.

With confidential computing, systems can now cover all three legs of the data-lifecycle stool, so data is never in the clear.

Confidential computing adds a new layer in computer security - protecting data in use while running on a processor. In the past, computer security mainly focused on protecting data on systems users owned, like their enterprise servers. In this scenario, it's okay that system software sees the user's data and code.

With the advent of cloud and edge computing, users now routinely run their workloads on computers they don't own. So confidential computing flips the focus to protecting the users' data from whoever owns the machine.

With confidential computing, software running on the cloud or edge computer, like an operating system or hypervisor, still manages work. For example, it allocates memory to the user program, but it can never read or alter the data in memory allocated by the user.

How Confidential Computing Got Its Name A 2015 research paper was one of several using new Security Guard Extensions (Intel SGX) in x86 CPUs to show what's possible. It called its approach VC3, for Verifiable Confidential Cloud Computing, and the name - or at least part of it - stuck.

We started calling it confidential cloud computing, said Felix Schuster, lead author on the 2015 paper.

Four years later, Schuster co-founded Edgeless Systems, a company in Bochum, Germany, that develops tools so users can create their own confidential-computing apps to improve data protection.

Confidential computing is like attaching a contract to your data that only allows certain things to be done with it, he said.

How Does Confidential Computing Work? Taking a deeper look, confidential computing sits on a foundation called a root of trust, which is based on a secured key unique to each processor.

The processor checks it has the right firmware to start operating with what's called a secure, measured boot. That process spawns reference data, verifying the chip is in a known safe state to start work.

Next, the processor establishes a secure enclave or trusted execution environment (TEE) sealed off from the rest of the system where the user's application runs. The app brings encrypted data into the TEE, decrypts it, runs the user's program, encrypts the result and sends it off.

At no time could the machine owner view the user's code or data.

One other piece is crucial: It proves to the user no one could tamper with the data or software.

Attestation uses a private key to create security certificates stored in public logs. Users can access them with the web's transport layer security (TLS) to verify confidentiality defenses are intact, protecting their workloads. (Source: Jethro Beekman) The proof is delivered through a multi-step process called attestation (see diagram above).

The good news is researchers and commercially available services have demonstrated confidential computing works, often providing data security without significantly impacting performance.

A high-level look at how confidential computing works. Shrinking the Security Perimeters As a result, users no longer need to trust all the software and systems administrators in separate cloud and edge companies at remote locations.

Confidential computing closes many doors hackers like to use. It isolates programs and their data from attacks that could come from firmware, operating systems, hypervisors, virtual machines - even physical interfaces like a USB port or PCI Express connector on the computer.

The new level of security promises to reduce data breaches that rose from 662 in 2010 to more than 1,000 by 2021 in the U.S. alone, according to a report from the Identity Theft Resource Center.

That said, no security measure is a panacea, but confidential computing is a great security tool, placing control directly in the hands of data owners .

Use Cases for Confidential Computing Users with sensitive datasets and regulated industries like banks, healthcare providers and governments are among the first to use confidential computing. But that's just the start.

Because it protects sensitive data and intellectual property, confidential computing will let groups feel they can collaborate safely. They share an attested proof their content and code was secured.

Example applications for confidential computing include:

Companies executing smart contracts with blockchains

Research hospitals collaborating to train AI models that analyze trends in patient data

Retailers, tel

LINK:	https://blogs.nvidia.com/blog/2023/03/01/what-is-confidential-computin...
	See more stories from nvidia

More from Nvidia