Confidential computing: A game-changing way to protect data in use

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Steve Orrin
 

Connecting state and local government leaders

By Steve Orrin

|

The technology enables agencies to build enclave-based applications to protect data in use that meets government security and compliance requirements.

We all have heard Newton’s first law of motion, which is often simplified as “an object at rest stays at rest; an object in motion stays in motion.”

But what about data at rest and in motion? And what about data in use?

A primary means of protecting sensitive data is encryption. Encryption applies algorithms to scramble data so that it’s readable only by someone who holds the key to decrypt it. The high-tech industry continues to make advances in encryption that protects data at rest -- information stored on a disk drive, say -- and data in motion -- information transferred across a network.

Then there’s data in use. How can data be encrypted while it’s being analyzed in computer memory? That’s the goal of confidential computing, an emerging industry initiative to protect data in use -- at scale and in the cloud.

Building on industry innovations

Confidential computing is enabled by hardware technology that reserves a section of a CPU as a secure enclave. It encrypts the memory in the enclave with an encryption key unique to the CPU and the application.

An agency can use such an approach to protect highly sensitive data and application code placed in the enclave. That data can be decrypted only within that enclave on that CPU. As a result, the data remains protected while it’s in use -- for instance, when users are conducting analytics on a database. Even if attackers gained root access to the system, they wouldn’t be able to read the data.

The technology includes an attestation feature so that an organizaton can confirm to third parties that the data resides in an enclave. An agency that handles health data, for example, could assure health care providers that information they submit will remain protected.

Earlier generations of this technology limited the enclave size. But with the latest generation of computer processors, a server could have up to 1 TB of enclave memory. That enables agencies to place an entire application, database or transaction server inside the enclave.

Protecting cloud data with confidence

This new capability can transform the way agencies approach security in the cloud. With traditional cloud computing, users must implicitly trust the cloud provider. The cloud provider might make every assurance that it will protect the data at rest, and the agency might take every precaution to protect the data in motion. Ultimately, though, agencies have to simply hope their data will remain secure while it’s in use.

But with confidential computing, agencies can be confident their data in use is protected. This is a game-changer, especially for federal agencies, which are highly regulated. Now they can protect in-use data even when it’s being hosted by a cloud provider. As a result, the data can remain safe throughout its entire lifecycle – at rest, in motion and in use.

Bringing confidential computing to government

Leading hardware makers are partnering with top cloud providers to bring confidential computing to federal organizations. Agencies will be able to select cloud services built on virtual machines that leverage the right hardware technology to protect data in use. Attestation features can verify the security posture of those VMs.

Confidential computing VMs are already in preview for federal, state and local governments and their partners in the various U.S. cloud regions. This technology enables agencies to build enclave-based applications to protect data in use in a dedicated cloud that meets government security and compliance requirements.

Of course, federal agencies often manage clouds in classified, air-gapped environments not connected to the internet. For those situations, hardware and cloud providers have partnered to develop tools that enable confidential-computing provisioning, updates and attestation without the need for an internet connection.

Benefiting industry and government

Industry is coming together to address a range of cloud security issues through the Confidential Computing Consortium. A project of the nonprofit Linux Foundation, the CCC is an open-source community dedicated to defining and driving the adoption of confidential computing.

Confidential computing will deliver advantages to the high-tech industry and public sector alike.

  • Benefits for the industry: Because it reduces the “trust base” for data in use to only the CPU, confidential computing significantly decreases the risk to applications and data in the enclave. Cloud providers, software-as-a-service providers, application developers and anyone else creating applications for environments where security is a top concern will embrace confidential computing.
  • Benefits for government: Confidential computing gives any organization in a regulated environment -- and, really, any enterprise that transacts on data that includes personal identifiable information -- the ability to protect data in use. It allows organizations to work with data in the cloud without having to include the cloud provider as part of the trust base it needs to secure.

Cyber vulnerabilities will always exist. Cyberattacks will still make headlines. But with confidential computing, agencies can protect data throughout its lifecycle -- at rest, in motion and in use.

NEXT STORY: How the cloud eased VA’s COVID pains

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.