March 14, 2023

By: Sachin Dubey, Principal Director, Cloud Architecture, LTIMindtree

Introduction

While adopting the cloud, a large investment bank was looking to move its critical data consisting of personal and business details of high-net-worth customers like financial details, business insights, contacts, etc. Confidential computing was the de facto platform to ensure the security and integrity of essential data, which is paramount for any business in today’s world, while almost all enterprises and individuals are prone to organize and sophisticated attacks.

Confidential cloud computing is defined by Confidential Computing Consortium (CCC), which is working towards data security hosted on the cloud. It ensures data protection by using a hardware-based TEE (Trusted Execution Environment) module, also called an enclave. By TEE, it creates a secure environment within the main processor and ensures the data and code cannot be modified by or changed by unauthorized agents or code. This is being achieved with collaboration with cloud hosting providers such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), along with hardware and software providers.

Nascent to mainstream with cloud

Expanding regulations and growing data security demands are fuelling confidential cloud computing. Key industries such as banking, financial services, insurance, healthcare, life sciences, the public sector, and manufacturing are leading the adoption of cloud-based confidential computing as it allows for data security and sharing across platforms and organizations, even if it’s sensitive or compliant. Following are the common use cases driving confidential computing while adopting the cloud:

• Core application, infra modernization on the cloud, and moving sensitive data.
• Growing use cases of Extract Transform Load (ETL) and data processing from multiple sources.
• Moving sensitive data such as Personal Identifiable Information (PII), access control, and secure keys.
• Share data for new products, Intellectual Property(IP), and innovations across enterprises.
• Need for data sovereignty and regulatory compliance across geographies.

Data security with confidential computing

Confidential computing is primarily focused on data security at all stages. It starts from creating the first Virtual Machines (VM) or container node by creating an isolated environment, applying attestation policies before the VM or container node deployment begins, and ensuring the OS and data disks are encrypted. Attestation, which is the process of confirming the trustworthiness of the source and target, uses a secure Trusted Platform Module (TPM) along with secure keys to ensure the integrity and security of the environment. All confidential computing providers use approved and certified processors for it. The certified processors are Intel SGX, AMD SEV-SNP, and NCC NVIDIA.

Confidential computing services on public cloud

While the public cloud enables the information to be available across geographies, it also allows its customers to share the data across the public cloud under a confidential computing framework and security standards as they are governed by CCC. All leading cloud providers such as AWS, Azure, and Google Cloud have adopted cloud computing and provide services for their Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) offerings. They also work closely with all the hardware vendors to add new services. Confidential computing services are broadly categorized as confidential services for securing the environment via keys, access management, confidential VMs to provide secure computing and confidential containers for restricted and secure containers in clusters, and secure storage. All these services relate to cloud-native secure networks to provide end-to-end encrypted connections.

Following are the overarching services available on the public cloud for confidential computing

1. Attestation service Attestation is the first security parameter in confidential computing while interacting with any external source in the environment or outside. The attestation or verification can be defined with security policies, and multiple methods are available to confirm the trustworthiness, such as TPMs, TEEs, Virtualization-based Security (VBS), supported APIs, and SDKs. Following are the attestation services on the cloud:
   • Microsoft Azure attestation service
   • AWS Cryptographic attestation
   • Google’s Virtual TPM-based attestation
2. Secure storage for confidential computing Security of the data at rest is as important as securing it during processing. The encrypted storage at rest prevents unauthorized data access by the user or applications without valid authorization in the form of a secure key. For confidential computing, data security applies to stateless and stateful workloads. Cloud offers encrypted ephemeral and non-ephemeral disk options to secure data:
   • Azure has enabled support for ephemeral disk, and confidential encrypted disks can be used with VMs and containers. Microsoft Azure SQL database ledger ensures database integrity and security.
   • AWS supports Transparent Data Encryption (TDE) for various SQL server versions on its Relational Database Service (RDS) platform and allows key-based encryption for Elastic Compute Cloud (EC2) disk and Simple Storage Service (S3) buckets.
   • For GCP, we can use an encrypted disk and control the access via a confidential space offering. GCP has enabled its managed Spark and Hadoop service Dataproc for confidential computing, which can be used with GCP confidential VMs.
3. Confidential VMs VM security is the base of confidential computing and ensures high security while processing the data and protects from root- and boot-level manipulation for greater security. There is no change in application code required to run the application in these confidential VMs, and all the existing workloads running on the cloud can be moved to these secured VMs:
   • Azure confidential VMs
   • GCP confidential VM
   • AWS Nitro System
4. Confidential Containers Confidential containers use the exact hardware-based security mechanism used by confidential VMs, thus ensuring all the platform-level security at all processing stages. While no code change is required to run code in confidential containers vs. regular containers, it is possible to run confidential and non-confidential containers in the same node pools. Confidential container offerings from hyperscalers are:
   • Google: Confidential GKE Nodes
   • Microsoft Azure: Confidential AKS Enclave Nodes
   • AWS: Nitro Enclaves

Confidential computing limitations

Confidential computing gives a lot of advantages when it comes to data security. However, it comes with certain limitations, such as:

1. VM and storage limitations Due to hardware-based encryption, there is a limitation in each cloud platform to create maximum enclaves per instance or storage disk. For example, Microsoft Azure allows you to create up to four individual enclaves per parent instance only and GCP lets you add a maximum of 40 persistence disks which may impact the larger and complex application performance. All the cloud providers are working on these limitations with vendors. However, checking the limitation before deploying workloads on the cloud is recommended.
2. Cyber-attacks Confidential computing provides data security at all levels. However, it does not prevent cyber-attacks, and attacks like Distributed Denial of Service (DDOS) may prevent the availability of service if not managed at the network and firewall levels.
3. Hardware tempering or code ingestion Confidential computing can be compromised if invasive access to hardware occurs, such as chip scrapping, though it is improbable due to physical security at all cloud data center providers. External code ingestion to the application can also compromise data security which can be prevented using approved confidential computing SDKs.
4. Service availability Confidential computing services such as VMs, storage disks, and containers run on specialized hardware based on trusted hardware modules. While most services are available at no extra cost, their availability to cloud regions or cloud provider data centers may be limited. This may impact the adoption due to country-specific rules and regulations for data security.

Summary

As enterprises are adopting the cloud for its comprehensive service offerings and innovation, confidential computing adoption can help transform critical data processing in the most secure and trusted way and give confidence to the stakeholders. It also offers organizations secure channels to share and collaborate without worrying about data security. Confidential computing is one of the first offerings where all the leading cloud providers are collaborating and creating common frameworks, service offerings, and hardware readiness. Every enterprise should leverage this along with the extensive cloud offerings for business advantage and faster innovation