Take Your Data Security to The Next Level: Confidential Computing

Today, some major technology companies adopt a new security model called confidential computing to protect all data types better. Confidential computing is a new method of encrypting data while running in memory. Confidential computing makes it possible to create security plugins to process encrypted data in memory, and this has become an increasing concern for vulnerabilities in the IT environment. 

Other leading cloud providers such as Google, Microsoft, and Amazon all have confidential computing products. Earlier this year, Microsoft released DCsv2 series VMs as part of its Azure confidential computing products. Last year, Amazon launched its own confidential processing product, the Nitro Enclaves, at Invent 2019, and is now available for preview. Also, Google and Microsoft are part of the Confidential Computing Partnership, dedicated to partnering with confidential computing. This shows us that confidential computing will be more important in the future.

Confidential Computing is a term defined by Consortium (Confidential Computing Consortium). This is a basic service dedicated to defining and accelerating the adoption of confidential computing. Consortium defines stealth computing, such as protecting data used by performing computations in a reliable hardware-based execution environment.

How can confidential computing help, and why do we need it?

   Confidential computing can easily switch between different environments without exposing sensitive and important data. Confidential computing is designed to protect your code and data from damage.  A hardware-based Trusted Execution Environment (TEE) can provide confidential computing, but other data protection methods are called encryption and trusted platform module (TPM).

Confidential computing helps encrypt data in memory without exposing the cloud data to the entire system. There are many approaches to protect data during transmission and transit; Protecting sensitive data while in use is confidential computing. The mission is to provide a protective layer against compromised operating systems, hostile insiders, and networks. 

Confidential computing allows for end-to-end security encryption. It protects your data during processing. Confidential computing ensures transparency and gives users confidence. It can prevent anonymous use of insiders, control network vulnerabilities, and other threats to hardware or software-based technologies.

Google Cloud 

Google Cloud has expanded its portfolio of confidential virtual machines ( VMs) at Next ’20: OnAir event, with the addition of Confidential Google Kubernetes Engine (GKE) Nodes providing encrypted platforms where users can be assured that cloud vendors or their own insiders are not exposed to their data.

To persuade organizations to put most of their computing online, Google Cloud launched the first part of its confidential computing product portfolio that provides a service that allows data to be kept encrypted while it is being processed. 

This product is called a "confidential virtual machine'' because it allows key information to be encrypted from beginning to end.  Although Google and many other cloud providers store data in encrypted form before and after processing, it is often necessary to decrypt it before executing it through an algorithm. Confidential VMs is one of the encryption options. 

Confidential Computation encrypts data used actively as it is being stored. The data remains encrypted both within the memory and outside the CPU in operation inside Confidential Processing environments. Confidential VMs now often have memory protection to keep the different workloads segregated, but the public cloud system also encrypts 'data at rest' and 'in transit.'

Additionally, Google and AMD are collaborating for confidential computing. Google Cloud leverages Secure Encrypted Virtualization (SEV) 2nd Gen AMD EPYC  processors to keep customers' data safe. To collaborate with Google Cloud AMD CPUs, Google Cloud is planning to work on other CPU vendors and support GPUs, Tpu's, and FPGAs. Confidential VMs can be used currently in different regions in Google Cloud. You can find pricing information for Confidential VMs on the Google Cloud Page. Also, when the Confidential GKE nodes available in beta, customers can register for it.

Azure

Azure Confidential Computing is designed by Microsoft to protect data processed in the cloud. Azure offers solutions that can isolate sensitive data processed in the cloud. Azure supplies DCsv2 VM series with hardware-based, stable execution environments (TEES). Cloud operators and data center managers who have physical access to servers are also unable to access TEE secure data. Azure uses Software Guard Extensions (Intel SGX) hardware, which protects data and enables the CPU to encrypt it while processing it. The operating system and supervisor cannot access it or allow any user who has physical access to the server.

AWS

Amazon Web Service (Aws)  uses the AWS Nitro Hypervisor technology to provide Nitro Enclaves that can isolate CPU and memory between EC2 instances, thereby isolating Enclaves and EC2 instances. Nitro Enclaves are currently available in preview. Nitro Enclaves are virtual machines connected to EC2 instances. They have no permanent storage space, no administrator or operator access, and only protect local connections to EC2 instances. Nitro Enclaves need to provide encryption certificates for your application, so you can be sure that only the permitted code works and is integrated with the AWS Key Management Program so that the Enclaves can only access confidential materials.