Geek Culture
Published in

Geek Culture

Confidential Computing Explained

Another Pillar of Data Protection

Photo by Taylor Vick on Unsplash

How are you making sure that your highly sensitive information is protected while running it? Confidential computing. Before I get into what confidential computing is, I want to go a little bit into why it is such an exciting field. Confidential computing, among other reasons, is exciting for the fact that there is a lot of cross-collaboration in the tech space to actually drive the technology forward. I mean, it is amazing seeing people reaching across a competitive aisle to do that. Another reason is that the technology will directly complement the existing data encryption paradigm that we have today and make it even more complete.

So before I get into the actual technology, and some of the use and value behind it, let’s start with the existing pillars of data encryption today. Typically you would start with protecting your data while it is at rest when you are storing it. You can think of this as whatever information you would like to. The basic journey is represented in the image below.

Simple data representation
Image by Author

Now we have information that we want to move from point A to point B. So to do that securely, we need to protect it while it is in transit. That is covered. These are the two pillars that are available in today’s story. The missing piece is how to protect it while running it. That is the third pillar I would like to get into in this piece. Why do we need to protect it when it is running?

It goes without saying, but you will have to protect yourself against are malicious hackers, inside threats, memory dumps, and things of that nature. In addition to that, we might also have a collaboration that we want to go on between us and either a trusted vendor or a trusted technology partner, but at the same time, not want to expose a piece of highly sensitive information to them, even though we want them to be able to take advantage of it.

How can we ensure that the proper information is not only invisible to these parties but also protected from the worst-case scenario? Well, that is where confidential computing comes in. Confidential computing is a hardware-based technology that allows for the physical partitioning of memory at the server level. That is a mouthful, So, let me explain step by step in simpler terms.

The stack is quite simple to visualize. We have our hardware level at the bottom — which is where the actual physical partitioning of the memory is going to take place, we have the middle-ware level, and then for the example, but not exclusive to, we are going to use any containerized abstraction of this.

Hardware stack representation
Image by Author

At the hardware level, we have that physical partitioning of the memory which allows for you to run a specific application in its silo. So, the silo in the scenario that I have painted here will be called an Enclave. That means we will have Enclaves at the containerized level of the stack. These Enclaves can have applications run in a physically isolated environment. Let’s take a deeper look into what the Enclave is. The Enclave itself functions like a black box that houses the data that I mentioned earlier and the set of techniques or procedures for processing that data.

In the scenario in which we had the different threats to data, the system has an encryption key that only extends out to the authorized program that allows for that authorized program to decrypt the information running within the physically isolated silo and be able to perform its set of processes. So, that privilege prevents access to any unauthorized party.

Data access representation
Image by Author

What actual access is it preventing? This would be the access to view data inside the partitioned silo, and to modify that code as well. The most important thing for this design is that we verify that the interaction with that code or data is as intended. This is possible through attestation reports. Going back to the key: value proposition discussed, it safe to say that this secure Enclave has provided data and code integrity that we did not have before. That means it restricts data visibility, prevents unauthorized modification, and verifies the actual interaction with code and data by authorized parties through the use of attestation reports.

Why should we use confidential computing? When these three pillars — data encryption at rest, in transit, and when running — are used together, confidential computing eliminates the single largest barrier to moving sensitive data sets from one company to another, therefore, enabling faster and better collaboration with partners. Another area where confidential computing is of great value is its application in edge computing. Data and applications at edge nodes can be protected with confidential computing when used as part of distributed cloud patterns.

Confidential computing is not just for data protection. It is also used to protect any business’s intellectual property so that businesses will not have to worry about storing and processing customer data, proprietary technology, and other sensitive assets. It also means that businesses have the freedom of choice when looking for cloud computing services that best meet their business and technical requirements.

You can see the clear value provided by confidential computing. Confidential computing is focused on protecting application data while you are running it, and it allows for us to be able to collaborate more freely with other parties, as well as protect ourselves in a new way from malicious actors, whether external or internal.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samuel Martins

Samuel Martins

1.1K Followers

I am a full-stack developer. I love sharing my knowledge of development technologies and programming in general. Subscribe to get an alert anytime I publish.