Confidential Computing: A New Approach to IT Security
The next generation of IT Security seeks to address the vulnerability of data in-use.
As computing has shifted to greater and more expansive reliance on cloud services for data storage and processing, encryption software has, for the most part, been used to protect data as it is being sent to the cloud, and once it is stored there.
However, as local computer systems have expanded to be able to process greater amounts of data, hackers have been able to take advantage by finding new ways to gain unauthorized access to business’ IT systems. They have done this by exploiting vulnerabilities in local computing systems’ data processing functions.
In response, a new approach to data security has emerged: Confidential Computing.
Digital Data: Types and Vulnerabilities
From an IT security perspective, digital data can be divided into three categories:
- Data At rest: data that is being stored on either a cloud server or local storage system, such as a computer’s hard drive.
- Data In transit: data that is being transmitted across a network, such as what happens when you send an email or credit card information to a vendor.
- Data In use: data that is being processed by a computing system.
Until recently, data security and encryption software had been focused on protecting data in the first two states: when it was being stored, and when it was in transit.
This was due to a number of factors:
- First, databases with large amounts of data “at rest” present large, attractive prizes to hackers seeking to gain access to large amounts of data.
- Second, data “in transit” was considered vulnerable because it can be more easily intercepted by hackers, if it is not encrypted with sophisticated cryptographic software. Conversely, because local computing systems in the past generally only processed relatively smaller amounts of data, “in use” data was not a major focus for encryption and protection.
As computing systems’ capacities have grown, so have the amounts and complexity of data that can be processed. Companies and individuals now have the ability – and need – to process large amounts of data, some of which can be highly sensitive – such as:
- geolocation data,
- financial data such as multiple customers’ credit card information, and much more.
And as the costs of suffering a data breach continue to grow – from the increasing fines being imposed by regulatory authorities to the loss of customer trust, and the actual costs of recouping data from hackers – the need to have robust, holistic data protection is greater than ever.
Confidential Computing: What is it?
Confidential Computing refers to the creation of hardware-based Trusted Execution Environments (TEEs) for data processing to take place on local, edge or cloud systems. TEEs essentially use security techniques to establish a protected environment for the processing of code to take place in a way that is not viewable or accessible to unauthorized actors.
The creation of a TEE is meant to ensure:
- code integrity,
- data integrity,
- and data confidentiality.
This is achieved through a number of possible implementation measures, such as authorization checks for process launches, cross-verification by another trusted user or system before launching a process (attestability) and by building recoverability systems that allow a system to be recovered back to a previous state if it is suspected that the system has been compromised.
Ultimately, Confidential Computing is an evolving, complex and holistic approach to data security that is becoming ever more important in our increasingly data-driven world.
And for anyone or any business that uses partners or third parties to process data, it is highly recommended that they verify that their partners have implemented robust confidential computing techniques in their own hardware-based computing systems.