Whether it’s an enterprise using an on-premises data center or migrating to the cloud, data security is a top concern. Confidential Computing (CC), as a breakthrough technology, has attracted much attention in the industry because it allows users to encrypt “in-use” data.
What is confidential computing?
Confidential computing, a breakthrough technology that encrypts data that is being processed, that is, “in-use” data. It was born in the context of: In the past, most of the security efforts of many enterprises have focused on protecting data “at rest” or “in transit” through encryption. But a relatively overlooked area is the encryption of “Data-in-use” data. As enterprises migrate to the cloud, how to protect “in-use” data has become one of the biggest challenges facing enterprises. In this context, “confidential computing”, which aims to protect the confidentiality and integrity of “in-use” data, has emerged.
The principle of confidential computing is the use of hardware-based techniques to isolate data, specific functions, or entire applications from the operating system, hypervisor, hypervisor, and other privileged processes. Behind the scenes, the Confidential Computing Environment stores data encrypted in memory, elsewhere outside the CPU, called the Trusted Execution Environment (TEE).
A Trusted Execution Environment (TEE), the key to making confidential computing work, is a secure computing environment that is isolated from an untrusted environment, preventing any attempts to change application code or tamper with data. This is especially important in multi-user systems such as virtualization and public cloud systems where data cross-contamination is a real risk, where this isolation and trusted authentication mechanisms enable confidential computing.
TEEs are generally implemented directly based on hardware, such as Intel SGX and ARM TrustZone; TEEs can also be constructed based on virtualization technology, such as Microsoft’s VSM, Intel’s Trusty for iKGT & ACRN, etc. In fact, an early version of the concept dates back to the TPM modules available in many PCs more than a decade ago. Unlike modern versions of TEEs, they are built into the core of the chip, rather than as external accessories that could be compromised by interconnects.
In 2019, confidential computing was included in Gartner’s “2019 Cloud Security Technology Hype Cycle Report” for the first time; in 2020, confidential computing is still one of the 33 technologies on Gartner’s cloud security maturity curve.
Tech giants come in
As a forward-looking technology, many technology giants have entered the game to vigorously explore and develop confidential computing.
In 2017, Microsoft added a new security feature called Azure Confidential Computing to ensure more control over how data is processed.
Azure Confidential Computing blocks actions triggered by changing or tampering with code, shutting down the entire TEE in a good way. The technology prevents malware or attackers targeting application, operating system or hypervisor vulnerabilities from gaining access to data in use. Malicious insiders with direct system access or administrative privileges can also be blocked.
In terms of implementation, Microsoft’s confidential computing has two modes: the first is the software-based virtual security mode found in the Windows Server 2016 and Windows 10 Hyper-V virtualization software components, and the second is built into the Azure cloud server Intel Software Guard Extensions (SGX) technology in the processor.
Currently, Microsoft is working with other software and hardware partners to enable other types of TEEs.
Alibaba Cloud is the first cloud service provider in the Asia-Pacific region to launch SGX-based confidential computing, and the first in the world to commercialize SGX technology, so that users on the cloud can enjoy high-level data protection capabilities in the easiest and most convenient way.
Based on Intel SGX confidential computing technology, Alibaba Cloud provides cloud customers with the trusted capability of system runtime. Cloud developers can use the trusted execution environment provided by SGX technology to protect key codes and data in memory, even if System components with higher privileges (including BIOS, virtualization bottom layer, operating system kernel) also cannot obtain critical code and data, so that customers can get rid of the dependence on cloud platforms, and prevent data from being compromised by having a trusted execution environment on the cloud. stolen or tampered with.
Alibaba Cloud’s work in the field of confidential computing is more than that:
In 2017, Alibaba Cloud and Intel jointly released the chip-level SGX confidential computing technology to ensure the security of customer data on the cloud;
In April 2018, at the RSA2018 conference, Alibaba Cloud announced the official commercialization of the “Dragon Cloud” server that supports Alibaba Cloud’s confidential computing technology;
In September 2018, at the Yunqi Conference, Alibaba Cloud released FPGA confidential computing technology, extending confidential computing from processors to FPGA devices, allowing mainstream machine learning computing models and data-related computing to run in a trusted environment middle;
In September 2018, at the Yunqi Conference, Alibaba Cloud also released the smart network card confidential computing technology to extend the trustworthiness of the system to the network, and realize the trusted network through the smart network card confidential computing technology;
In October 2018, Alibaba Cloud launched a blockchain service platform based on SGX technology;
At the Yunqi Conference in 2019, Alibaba Cloud Intelligence and the Alibaba Cloud database team jointly released a fully encrypted database product.
At the Google Cloud Next 2020 conference, Google Cloud (Google Cloud) launched a “confidential virtual machine” (Confidential VMs). This new type of virtual machine can take advantage of Google’s encrypted computing to achieve secrecy of data at rest and in memory.
At the back end, the confidential virtual machine uses the secure encryption virtualization technology based on AMD’s second-generation EPYC processor to encrypt data in use. The key is generated by the CPU trusted execution environment and cannot be exported, even Google itself cannot know the key.
In addition, Google also said that they have launched Shielded VMs, a hardening service for virtual machines, which can protect systems from root software and other exploits.
Layout the future
As enterprises move business data off-premises or into multi-tenant cloud computing environments, they now urgently need proprietary algorithms that protect the integrity of customer data and protect data in use. So cloud providers are launching new instances of confidential computing for customers to use. This removes the need for organizations to run their own confidential computing systems, creating a win-win situation: the customer gets what they need to protect their data assets; the cloud provider brings in the necessary hardware assets that the customer doesn’t necessarily own.
This new availability is driving more and more processors to include built-in confidential computing concepts. And because cloud providers typically acquire new high-end processing power at an early stage of availability, this enables communities of users to gain access much faster than users themselves can acquire. Furthermore, given the availability of hardware and toolkits running in the cloud, it enables application providers to rapidly design confidential computing into their products and further has a more mature market to recoup development investments.
Gartner predicts that it will take about 5 to 10 years for confidential computing to become widespread. It is recommended that enterprises explore the use of confidential computing technology in the next 6-12 months, explain to major application solution providers that they hope to comply with the confidential computing strategy, and provide technical implementation within the agreed time. After all, if you want to gain market share and gain a competitive advantage, you have to be one step ahead.