Two years ago, a group of tech companies introduced a new roadmap for cloud computing security. Confidential computing “uses hardware-based techniques to isolate data, specific functions, or an entire application from the operating system, hypervisor or virtual machine manager, and other privileged processes,” says IEEE Spectrum. So, what sets this apart from other digital defense efforts? How does it work?

Today’s Cloud Computing Security

Today, businesses and agencies are looking for a new way to keep their data secure in the cloud. That’s even more key for financial services clients, vehicle makers, health insurance providers and telecommunication service providers. These sectors face specific compliance rules as well as a growing number of broader data protection rules.

Therefore, groups in these fields need to uphold what IEEE Spectrum calls the “three pillars of data security” — protecting data at rest, in motion and in use. These apply to cloud computing security as well. The first and second have been managed over the years through encryption and tokenization, among other methods. But the last one has proven more difficult to achieve — even more so in the cloud. Computation requires data to not be protected. That gives attackers a chance to dump the contents of memory and thus steal sensitive data.

This is how it used to be, at least. It’s a different world now.

How Confidential Computing Works

Back in 2019, several cloud providers, CPU makers and software companies came together to create the Confidential Computing Consortium (CCC). This plan gave rise to confidential computing. It’s a way to encrypt cloud-based data while it’s in use and during processing.

It works through a trusted execution environment (TEE), a hardware-based secure enclave within a CPU. Security personnel secure the TEE using a set of embedded encryption keys. Then, they limit access to those keys by using a series of embedded attestation mechanisms. Those measures watch for unauthorized attempts to access the keys or to modify the code. If they do detect such an incident, the TEE refuses access and terminates the session.

Why Use the TEE?

“In this way, sensitive data can remain protected in memory until the application tells the TEE to decrypt it for processing,” explained IBM Cloud Security Chief Technical Officer Nataraj Nagaratnam for Learn Hub. “While decrypted and throughout the entire computation process, the data is invisible to the operating system (or hypervisor in a virtual machine), to other compute stack resources and to the cloud provider and its employees.”

Applying a TEE in this way creates several benefits for cloud computing security. One is the way it can extend cloud computing to sensitive workloads. Early adopters didn’t rush things when they embarked on their cloud journeys several years ago. For most, it was about migrating over a few simple workloads to the public cloud. But we’re now in chapter two of the cloud, looking to transition the remaining workloads. This involves moving sensitive data over to the cloud while at the same time trying to avoid the instances of ransomware and other attacks that marked cloud’s first chapter.

Confidential computing also opens up new business opportunities. Organizations can choose a cloud service provider that best meets their needs without worrying about storing and processing their data. Organizations can also work with other companies on making new solutions without disclosing intellectual property or other data that they want to keep safe.

Confidential Computing and Beyond

The emergence of confidential computing means that CCC members and other manufacturers rethink cloud computing security. It demands that they situate confidential computing within ongoing efforts to manage risk and compliance using prescriptive controls, ensure data-centric protection using zero trust, achieve ongoing detection and response as well as infuse security and privacy with DevSecOps. It also requires them to innovate confidential computing solutions in a way that allows for the needs of a large swath of businesses and industries.

To do all this means going beyond confidential computing to help achieve the highest level of privacy assurance. Nataraj discussed what this process involves at Think 2021. You can view his session on demand here.

More from Zero Trust

Zero Trust Data Security: It’s Time To Make the Shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

4 min read

How Zero Trust Changed the Course of Cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

4 min read

SOAR, SIEM, SASE and Zero Trust: How They All Fit Together

4 min read - Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

4 min read

Contain Breaches and Gain Visibility With Microsegmentation

4 min read - Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

4 min read