Using the public cloud and edge is like swimming in the ocean. They’re vast resources filled with potential – and peril. Without proper precautions, even experts can be attacked and drown.
Despite these dangers, organizations increasingly rely on both to integrate multiple data sources for analytics. One big draw: seemingly bottomless trenches of data to help develop and train machine learning systems.
While placing and processing intellectual property on shared servers is fraught, experts say the risk can and must be managed. Many CISOs, CSOs, and CIOs struggle to defend against more sophisticated cross-cloud orchestration and cross-tenant attacks, among others. It’s a modern variation of a familiar challenge: balancing security and privacy with usability.
Achieving that balance is the aim of a new cross-industry effort, the Confidential Computing Consortium.
Founded in 2019, the collaboration operates within The Linux Foundation. Its mission is defining and promoting adoption of confidential computing, which protects sensitive data within system memory, a new favored target for attackers. Backers include industry heavyweights Alibaba, ARM, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, and Tencent.
The Confidential Computing Consortium “will bring together hardware vendors, cloud providers, developers, open source experts and academics to accelerate the confidential computing market; influence technical and regulatory standards; and build open source tools that provide the right environment for TEE development.” The organization will also anchor industry outreach and education initiatives.
Intel and Microsoft got the Confidential Computing Consortium off to a solid start, the former with the donation of SGX and the latter with the contribution of its Open Enclave SDK.
Supporters say confidential computing helps keep data useful without sacrificing privacy.
Consider genomics, where researchers must process genome databases of well over 1TB. That data likely arrives encrypted, containing DNA information and the patient’s personal data. If the analytics application runs in a secure enclave, data can be decrypted safely. Personal metadata remains unviewable, even as needed data is processed.
Similar treatment might be given to stock trading data, banking transactions, blockchain transactions (as opposed to group validation), and healthcare information. Any data in which privacy must be maintained during aggregation can benefit.
According to proponents, confidential computing offers great promise for safely running applications on public clouds and on the edge.
With as-a-service options for applications and infrastructure continuing to gain popularity, more organizations need to protect more public data and intellectual property. Confidential computing lets untrusted third parties collaborate with data without providing visibility into it. Proponents say that could enable much broader and deeper partnerships between companies and institutions worldwide.
Why this effort now? The short answer: Current measures need evolving for a cloud-converged world.
Developers have worked for decades to make applications, operating systems, and other software more secure. Yet many consumer platforms remain vulnerable, as are corporate data centers and servers. No matter how secure the application, data can still land in inquiring hands.
Consider how, in 2018, the U.S. enacted the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It required U.S. data providers to preserve and provide any data subpoenaed by U.S. courts, even if that data is located abroad. The law works both ways; providers like Google and Microsoft must detail how they adhere to treaties that provide user data to governments outside the United States. Yet subpoenas aside, rogue administrators can still expose confidential data.
It’s hardly news that the public cloud remains beset with predators hungry for data at rest, in motion, and in use.
