Getting Started with Confidential Computing

Exploring confidential computing for your business is now much easier than before.

If you are new to confidential computing and wondering where you can use it and for what benefits, then please read on.

What do you get with Confidential Computing?

Let’s start with the fundamental question of what confidential computing can give you for your business.

As shown in the diagram below, confidential computing protects your workload from unauthorised entities — the host or hypervisor, system administrators, service providers, other VMs, and processes on the host.

Protections available when using Confidential Computing

This key functionality gives you additional confidence to run your sensitive workloads in the public cloud and reap the benefits of the public cloud.

If you are convinced about the potential of confidential computing and want to understand more about the technology and the typical use cases, please continue reading along.

Confidential Computing Primer

Confidential computing protects data in use, completing the data security triad — securing data at rest, in-transit, and in-use.

Data Security Triad

Any description of confidential computing is incomplete without mentioning Trusted Execution Environments (TEE). TEEs are secure and isolated environments that prevent unauthorised access or modification of applications and data while in use.

In simple words, you can think about confidential computing as a means of creating a specific location (a TEE) in memory, where anything inside this location is inaccessible to the entities outside this location.

TEEs assure data integrity, data confidentiality, and code integrity.

Let’s understand these terms in brief:

Data confidentiality — prevents unauthorised entities from viewing the data while it is in use within the TEE.

Data integrity — prevents unauthorised entities from altering the data while it is in use within the TEE.

Code integrity — prevents unauthorised entities from modifying or replacing the code in the TEE.

Together, these attributes assure that your code and data are kept confidential from unauthorised entities.

If you are interested to know more about the technical definitions and properties of confidential computing, the following resource from the confidential computing consortium is a good read.

Let’s now take a look at some of the typical use cases.

What are some of the typical Confidential Computing use cases?

I’m seeing some of the following use cases across the industry.

Cloud Key Management Services (KMS)

Improve application security on the public cloud and prevent data compromise from malicious actors.

Scalable replacement for dedicated Hardware Security Modules (HSMs)

Sharing sensitive data with third parties for analytics and other multi-party computing usages.

Smart Contracts and Blockchain

Secure data during AI/ML modelling.

Secure the intellectual property and data generated or utilised in edge and IoT devices from malicious elements.

If some of these use cases excite you and you are wondering how to get started, then the following section should be a good start.

How to get started with Confidential Computing?

An important aspect to consider is the impact of confidential computing technology on the application design, especially whether you need to make any changes to existing applications or whether lift-and-shift is an option.

I’ll go into the details in a follow-on article. Still, I want to underscore that there is a considerable emphasis in the confidential computing community on providing a lift-and-shift capability for existing applications and making the adoption easier.

These resources will help you start with confidential computing in the public cloud.

Azure — Azure has a comprehensive set of offerings covering VMs, containers, HSM etc.

You can get started with either confidential VM or confidential containers.

AWS — AWS offers Nitro instances with memory encryption for protection from cloud operators and Nitro enclaves

You can get started by following this tutorial.

Google Cloud — Google provides standalone confidential VMs as well confidential Kubernetes nodes .

You can get started by following this tutorial.

IBM Cloud — IBM cloud also has a good set of offerings in this space.

You can get started by following this tutorial.

Independent Software Vendors — The following link gives a snapshot of some of the independent software vendors providing confidential computing solutions.

I hope this gives you enough information to start exploring. Please reach out with any questions or if you need any help with getting started.

Note: This article was first published here.