Computer Confidential

As digital business moves across traditional boundaries, into the cloud and the edge, companies need to ensure that their data remains secure at all stages of its lifecycle.

One initiative to ensure this happens is the Confidential Computing Consortium, launched August 2019, which aims to define and accelerate the adoption of confidential computing. Members include Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Linux, Microsoft, Red Hat, Swisscom and Tencent.

The consortium notes that while much attention has been given to securing data at rest, and in transit, the next frontier is securing data in use. They say confidential computing will enable encrypted data to be processed in-memory without exposing it to the rest of the system, which thereby reduces exposure for sensitive data and provides greater control and transparency for users.

“The Confidential Computing Consortium is a leading indicator of what’s to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use.”

Jim Zemlin, executive director at The Linux Foundation

As part of the initiative:

  • Intel will make available its Software Guard Extensions (Intel SGX) Software Development Kit, which is designed to help application developers protect select code and data from disclosure or modification at the hardware layer using protected enclaves
  • Microsoft will provide Open Enclave SDK, an open source framework that allows developers to build Trusted Execution Environment (TEE) applications using a single enclaving abstraction. Developers can build applications once that run across multiple TEE architectures.
  • Red Hat will contribute Enarx, a project providing hardware independence for securing applications using TEEs.

Announcing his company’s involvement in the project, Arm’s Richard Grisenthwaite said: “Arm’s vision for the next-generation infrastructure requires complete edge-to-cloud security for protecting and managing the data across a trillion connected devices…we see our participation and the new Open Enclave SDK as a critical collaboration with the rest of the industry in making TEE’s easy to deploy.”

IBM’s Todd Moore said: “One of the emerging areas of interest to our IBM Cloud and Systems clients is Trusted Execution Environments (TEEs). Combined with new open software projects like Enarx and OpenEnclave SDK, they hold the promise of making future workloads as secure as possible in the next chapter of cloud.”

The sole telecoms representative – thus far – is Swisscom. Their CTO, Christoph Aeschlimann explained that his company sees improving trust as vital to the adoption of technologies such as 5G, critical IoT and cloud applications.

There are still question’s that we all have to ask though:

  • It’s not who’s in the gang, but who’s not. The top four worldwide brands may have physical products, but their value is heavily biased on the data they process about citizens. While Google and Microsoft are founding members of the consortium, notable by their absence are Apple, Amazon and a small data company called Facebook. The major B2B telcos who have Cloud computing firmly within their strategic operations are also notable from their lack of inclusion as their client’s needs should be voiced and drive the vendor community forward.
  • The consortium neatly skims over the security for data in use and in storage, appearing to reflect, incorrectly, that this has been mastered. Although the data in use challenge will address many of the new artificial intelligence and advanced computing processes such as machine/deep learning that could disrupt or introduce bias into data processing, the majority of data concerns are still about hacking data whilst in use or whilst being stored. 

As the odds of experiencing a data breach have grown over the last 6 years by 7 percent[1](2014 22.6%, 2019 29.6%), and 2019 having already experienced approximately 4 billion records lost through data breaches[2], cloud providers need to engage with these types of vendor consortiums along with government organisations, such as the NCSC, which have been helping organisations ensure that they approach the evolution of data security as a data lifecycle process, addressing each stage from secure coding to data creation through to [secure] deletion.

[1]Cost of Data Breach Report, IBM Security/Ponemon Institute

[2]Selfkey – All Data Breaches in 2019 – An Alarming Timeline