31 Dec Protecting public cloud and edge data with confidential com…
This article is part of the Technology Insight series, made possible with funding from Intel.
Using the public cloud and edge is like swimming in the ocean. They’re vast resources filled with potential – and peril. Without proper precautions, even experts can be attacked and drown.
Despite these dangers, organizations increasingly rely on both to integrate multiple data sources for analytics. One big draw: seemingly bottomless trenches of data to help develop and train machine learning systems.
Old challenge, new twist
While placing and processing intellectual property on shared servers is fraught, experts say the risk can and must be managed. Many CISOs, CSOs, and CIOs struggle to defend against more sophisticated cross-cloud orchestration and cross-tenant attacks, among others. It’s a modern variation of a familiar challenge: balancing security and privacy with usability.
Achieving that balance is the aim of a new cross-industry effort, the Confidential Computing Consortium.
- Greater reliance on public clouds and edge for analytics and AI is driving the need for new, stronger security.
- The new Linux Foundation Confidential Computing Consortium is working to devise secure computing enclaves for in-use data.
- Microsoft, Google, Red Hat, and Intel are building confidential computing compatibility and tools.
Founded in 2019, the collaboration operates within The Linux Foundation. Its mission is defining and promoting adoption of confidential computing, which protects sensitive data within system memory, a new favored target for attackers. Backers include industry heavyweights Alibaba, ARM, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, and Tencent.
The Confidential Computing Consortium “will bring together hardware vendors, cloud providers, developers, open source experts and academics to accelerate the confidential computing market; influence technical and regulatory standards; and build open source tools that provide the right environment for TEE development.” The organization will also anchor industry outreach and education initiatives.
Key projects include:
- Intel Software Guard Extensions (Intel SGX) Software Development Kit, designed to help application developers protect select code and data from disclosure or modification at the hardware layer using protected enclaves.
- Microsoft Open Enclave SDK, an open source framework that allows developers to build Trusted Execution Environment (TEE) applications using a single enclave abstraction. Developers can build applications once that run across multiple TEE architectures.
- Red Hat Enarx, a project providing hardware independence for securing applications using TEEs.
New battleground: Data in use
Supporters say confidential computing helps keep data useful without sacrificing privacy.
Consider genomics, where researchers must process genome databases of well over 1TB. That data likely arrives encrypted, containing DNA information and the patient’s personal data. If the analytics application runs in a secure enclave, data can be decrypted safely. Personal metadata remains unviewable, even as needed data is processed.
Similar treatment might be given to stock trading data, banking transactions, blockchain transactions (as opposed to group validation), and healthcare information. Any data in which privacy must be maintained during aggregation can benefit.
According to proponents, confidential computing offers great promise for safely running applications on public clouds and on the edge.
With as-a-service options for applications and infrastructure continuing to gain popularity, more organizations need to protect more public data and intellectual property. Confidential computing lets untrusted third parties collaborate with data without providing visibility into it. Proponents say that could enable much broader and deeper partnerships between companies and institutions worldwide.
No place for data to hide
Why this effort now? The short answer: Current measures need evolving for a cloud-converged world.
Developers have worked for decades to make applications, operating systems, and other software more secure. Yet many consumer platforms remain vulnerable, as are corporate data centers and servers. No matter how secure the application, data can still land in inquiring hands.
Consider how, in 2018, the U.S. enacted the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It required U.S. data providers to preserve and provide any data subpoenaed by U.S. courts, even if that data is located abroad. The law works both ways; providers like Google and Microsoft must detail how they adhere to treaties that provide user data to governments outside the United States. Yet subpoenas aside, rogue administrators can still expose confidential data.
The cheat goes on.
It’s hardly news that the public cloud remains beset with predators hungry for data at rest, in motion, and in use. Yahoo suffered major security breaches in 2013 and 2014, with more than one billion user records stolen. Apple’s iCloud hack exposed private celebrity files to public scrutiny in 2014. And of course, Cambridge Analytica illicitly scraped more than 80 million Facebook profiles prior to the 2016 election without users’ consent.
More recently, F5 Networks noted a 40% uptick in attacks, including campaigns against vBulletin servers and Oracle WebLogic servers. Moreover, threats to supervisory control and data acquisition (SCADA) systems in industrial settings as well as Internet of Things (IoT) device exploits are also rising, the firm says.
Hardware locks the castle
Consensus is growing that software alone cannot handle the growing complexity of these modern demands. The thinking is this: If hardware is the ground under the server’s castle, security-hardened hardware presents attackers with tunnel-proof bedrock.
Hardware-based security also enables assistance from silicon-level accelerators to relieve the CPU from having to shoulder such burdens through software, thus improving system efficiency.
The industry has worked to enable hardware-based security for many years. The Trusted Computing…