While robust measures are available to businesses wanting to protect their most sensitive data assets, there are still circumstances in which those assets can be left exposed. Full data confidentiality depends on keeping information from prying eyes in all three of its states — at rest, in transit and in use. This article explains how confidential computing is an exciting new technology with great promise in strengthening data security while the data is in use.
As organizations increasingly look to adopt cloud services, some IT decision-makers remain concerned about the prospect of entrusting sensitive data to a third-party service provider’s systems. It’s for this reason that data privacy and confidentiality are still primary cloud security concerns well over a decade after cloud computing adoption became mainstream.
Well-established and functional encryption methods, such as Transport Layer Security (TLS), help protect data in transit as it moves between the public cloud/virtual machines and user devices/workstations over the internet. For sensitive data at rest in the cloud, there are several approaches to encryption that offer differing degrees of control to businesses, ranging from letting the cloud provider encrypt your data and managing keys for you to generating your own keys and never passing those keys to the cloud vendor.
One critical data privacy flaw that can emerge in cloud applications is that data in use needs to be decrypted just before, during and straight after processing. The middle ground option for preserving data privacy at rest that many businesses opt for is called bring your own key (BYOK). This option lets organizations create and manage their own encryption keys while still passing those keys to the cloud vendor for when data needs to be decrypted during use.
The catch-22 here is that in order to make full use of cloud services (e.g., analytics, indexing, collaboration tools, content sharing) decryption needs to happen for the data to be processed. But this very decryption goes against the general business aim to protect sensitive data assets from unauthorized access at all times. So, is there a more secure option?
Confidential computing is a technological paradigm shift that encrypts sensitive data while it’s being processed in memory instead of leaving it temporarily unencrypted. In recognition of the security gaps for data in use in virtualized cloud systems, a consortium of leading hardware vendors and cloud providers formed the Confidential Computing Consortium (CCC) with the aim of securing data in use. Members of the consortium include Google, Microsoft, Cisco and Nvidia.
Confidential computing protects data in use by performing computation in a hardware-based Trusted Execution Environment (TEE). The technology works by isolating sensitive data in a secure CPU enclave during processing so that it remains unseen by the cloud provider or any other party. In other words, confidential computing protects against unauthorized access to data in use, which is great news for any organization handling sensitive data, whether it’s intellectual property or highly regulated information.
Threats against data in use is not some theoretical idea. Infamously, retailer Target was hit by memory-scraping malware that stole credit card information from the RAM memory of POS systems at the moment of data processing, just as cards were swiped. Additionally, threat actors managing to bypass cloud access controls and take over an account can potentially access data in use. Insider threats are also a concern.
Data confidentiality, data integrity and code integrity are maintained with confidential computing by providing security at the lowest levels of hardware. All of this means that no longer is sensitive data in use potentially exposed to other applications, hypervisors, operating systems or cloud service providers.
Some leading cloud vendors now have offerings focused on confidential computing, so it’s possible to start benefitting now from this breakthrough technology. Here is a brief overview of some key benefits you can expect from confidential computing.
Better Protect IP and Sensitive Data
Let’s start with the obvious but nonetheless important and primary benefit: confidential computing strengthens the protection of an organization’s most sensitive data assets. Intellectual property, trade secrets, contracts and personal consumer/user data are all secured against unauthorized access during processing. This enhanced protection for sensitive data can offer reputational and competitive advantages versus businesses that don’t go to this length.
Improved Regulatory Compliance
An increasing number of data privacy regulations look to protect consumers in the event that their sensitive data is breached (e.g., CCPA). With the cost of a data breach reaching $4.24 million, it makes sense to cover all potential attack surfaces for the three states of data, not just while it’s at rest or in motion, if you want to avoid data breaches. Confidential computing improves regulatory compliance, especially while using cloud computing infrastructure.
Make Full Use of Cloud Capabilities
In the catch-22 dilemma referred to previously, some organizations opt to prioritize security and never share their encryption keys with cloud vendors. This decision, often forced by either internal policy or regulatory compliance, comes at the detriment of not being able to make full use of cloud services because encryption is required for those cloud applications to properly function. Confidential computing provides the desired levels of data confidentiality in the cloud while still allowing organizations to make full use of cloud capabilities, such as Big Data processing, advanced analytics or running cloud-native apps.
Securely Innovate Through Collaboration
Necessary data silos often act as a barrier to innovating through collaborative multi-party computing. Distributed cloud computing facilitates data sharing and analytics between multiple organizations, but the need to protect sensitive information from other parties discourages this type of data sharing and analytics from happening.
With confidential computing, several organizations can combine datasets for analytics without worrying about potential exposure while in use. The use cases are exciting here, ranging from financial institutions sharing data to detect fraud to healthcare organizations combining medical data for better diagnostics or even developing new treatments for illnesses.
While confidential computing promises a revolution in sensitive data security, don’t forget that most attacks and breaches still happen on endpoints. No matter how many endpoint devices are connected to your network, you need continuous monitoring and real-time protection against threats that target them.
Contact us today to learn about our endpoint detection and response capabilities.