Some of you must have heard of “confidential computing,” also called “secret computing,” earlier. In a layman’s term, it’s about computing data while it’s encrypted to ensure its privacy and secrecy.
We have all heard of or worked on encryption. Data encryption “at rest” or “in transit” has become quite famous with cloud technology. Lots of enterprises were and are concerned about migrating to the cloud because of the security of data in the cloud. Firms that hold a lot of client data are heavily regulated and need to make sure there are the right controls in place before using public or private clouds.
This was not enough when the risk of data being exposed while processing came into existence. This escalates the risk of migrating to cloud technology. But before it could slow down the adoption of the cloud, all the major hardware companies and cloud providers came up with a way to secure data while processing. In 2019, the Confidential Computing Consortium (CCC) was established by the Linux Foundation with the mission to “improve security for data in use” and it has 40 members including Microsoft, Amazon, IBM, Intel, Red Hat, Oracle, Google, etc. Specialized hardware with “Secure Enclave”, also known as “Trusted Execution Environment” (TEE), came into existence to solve the problem.
A Secure Enclave is a part of the physical CPU on a server where memory is encrypted and it’s isolated from the OS, hypervisors, etc. It protects data in use because, in the secure enclave, data is decrypted on the run and processed within that specific part of the CPU, and the decryption key is not known by anyone. Consider it as a mini-computing area within your physical server.
Hardware providers like Intel and AMD have Secure Enclaves inbuilt these days. Also, cloud providers like AWS, Azure, and Google include it in their offerings. There are other providers who specialize in solutions, like Decentriq, Anjuna, etc.
You might ask if you need it or not. Yes, you need it if you run the risk of your disk being stolen, unauthorized access to your data in the cloud by an admin or SRE with valid credentials, data protection from database admins, and data protection from unauthorized API access. These are some of the daily use cases we come across, apart from the sharing of hardware on the cloud.
Share your thoughts or use cases and experiences.