Confidential data processing – the next frontier in security

Confidential computing is an exciting and relatively new technology that adds another level to information security. Until now, data could only be encrypted at rest or during transit, but this hardware-based technology makes it possible to encrypt data while it is being processed.

“Confidential computing is a technique for securing data while in use, by creating secure spaces that users, rather than administrators, control,” said Martin O’Reilly, director of research engineering at the Alan Turing Institute. “The idea is to create a trusted execution environment (TEE) or secure enclave where data is only available to a specific application or user and only when the data is being processed.”

The concept is only now beginning to be recognized in the industry, promoted by a community of hardware vendors, cloud providers and software developers known as the Confidential Computing Consortium (CCC). A project community at the Linux Foundation, it is focused on accelerating the adoption of TEE technologies and standards.

Improving cloud security

As it stands, CCC can have quite an easy time promoting confidential data processing – the technology is driven by the need for end-to-end encryption and the growth of cloud computing. In particular, TEEs are being touted as the next step for hybrid cloud environments that restrict access control to the data owner rather than the hosting provider.

“We are still in the early days of adoption, but this may become one of the common security platforms for cloud computing. There is an urgent need to secure data when processed in cloud environments,” said Kevin Curran, senior member of the IEEE. and Professor of Cyber ​​Security at Ulster University.

Confidential computing’s 360-degree protection ‘enables data to be processed within a limited part of the computing environment, enabling organizations to reduce exposure to sensitive data while providing greater control and transparency, and even enabling businesses to to share data for shared processing securely. This represents a significant change, says O’Reilly, pointing out that the ability to create secure spaces where the user controls who has access to the data effectively replicates the trust that companies can have in their own IT departments.

However, he notes that the benefits should be weighed against the complexities associated with setting up and managing these technologies.

“The lack of universal accessibility and the extra complexity of securing enclaves means that these entail an additional cost compared to other, currently conventional security measures, including those operated by cloud providers, which may be sufficient for those security objectives,” he notes. he.

Which sectors can benefit from confidential data processing?

Confidential data processing is of particular interest to sectors that handle sensitive personal, commercial or government data.

Early users include the healthcare, research and government sectors, with the financial sector leading the way, says Dave Thaler, chairman of CCC’s Technical Advisory Board and Microsoft software architect. “Take the chip and pin system used in credit and debit cards – the chips used there are confidential computer environments,” he points out.

Related resource

IT Pro Podcast: The Secrets of Confidential Data Processing

What is confidential data processing and how can it help protect organizations?

Now, listen

DIA (Decentralized Information Asset) is an example of an early adopter – it recently implemented confidential data processing in its open source financial information platform to serve customers from more regulated industries that require a much higher level of security throughout the technology stack.

“Our solution is fairly tamper-proof, but there was a vulnerability because the computation on a cloud or on-site meant that there were potential attack vectors. We solved this with an IBM-confidential cloud solution that ensures that the computer cannot be tampered with. any third party, including the cloud provider. It is a fundamental improvement of our product, “says Paul Claudius, co-founder and association member of DIA.

Should your company look at confidential data processing?

All companies dealing with data they need to secure should start looking at confidential data processing within their security strategies, says Dr. Alan Warr, Consultant Specialist Group Chair at BCS, The Chartered Institute for IT. “They need to start working on how it applies to them, at least to ensure that they do not have to be an early adopter and risk being disadvantaged if they move too slowly.

“For many, this will cause them to build this into their strategies, which are likely to involve research and early evidence of concepts at this stage. For the minority, it can be a valuable, or even essential, strategy to take an early lead in adoption. , ”He remarks.

It’s also an opportunity to get more out of the data you have, points out David Greene, head of CCC’s Outreach Committee and head of sales and marketing at Fortanix.

“When I talk to customers, I ask them what data they have that they think has useful information that they have not been able to extract because the data must remain so secure. If we think of data as the new gold, this can be a good motivation to think about what companies could do. ”

Related resource

Manage multi-cloud configuration risks

Cloud security challenges and how to overcome them

Cloud security challenges and how to overcome them - webinar from Trend MicroLook now

Omnipresent in 2031

Warr speculates that confidential data processing may become ubiquitous over time, just as encryption of data at rest has become. “We may find that over the next 10 years, IT professionals and end users will increasingly use confidential data processing,” he says.

Greene – and the broader CCC – agree with this view. “A few years ago, secure internet communication, HTTPS, was something of a big deal. Now it’s everywhere. Same with SSL, first we focused on credit card transactions and said at one point, why not secure everything?

“CCC’s view is that confidential data processing has the same potential. We have the infrastructure and the tools, ultimately there will be no reason not to protect data in this way.”

Selected resources

Business value of APEX

The business value of Dell Technologies APEX as-a-Service solutions

Download now

How upgraded server and storage platforms support digital transformation

New Dell EMC PowerStore delivers advanced enterprise storage features at mid-price

Free download

The complete guide to cloud economics

Improve decision making, avoid risks, reduce costs and speed up the takeover of the cloud

Free download

Transform your network with advanced load balancing from VMware

How to modernize load balancing to enable digital transformation

Free download

Leave a Comment

Advertise