What is Confidential Computing?
Confidential computing refers to cloud computing technology that can isolate data within a protected central processing unit (CPU) while it is being processed. The contents of this protected environment include the data being processed and the techniques used to process it; these contents are accessible only to authorized programming code, and are invisible to and unknowable to anything or anyone else, including the cloud provider.1
Before an application can process data, it has to go through decryption in memory. Before, during, and right after the data has been processed, the data is left unencrypted and exposed. The exposed data is then vulnerable to threats such as memory dump attacks, which involve capturing and using random access memory (RAM) placed on a storage drive in the event of an unrecoverable error2. Confidential computing addresses this vulnerability by using hardware-based architecture referred to as a trusted execution environment (TEE). TEE is a secure co-processor inside of a CPU, and embedded encryption keys are used to access it. TEEs are only accessible to the application code authorized for it, and the co-processor uses embedded attestation mechanisms to ensure unauthorized access attempts are denied. When the application receives an authorized request for TEE to decrypt the data, the data is released for processing- a process that is invisible to everything and anyone else, including other cloud resources, hypervisors, cloud providers, virtual machines, and even the OS.
Some benefits of cloud computing include:
Protecting sensitive data. With confidential computing, data can be encrypted while at rest and while it is in transit. This removes the largest barrier preventing organizations from moving to cloud computing- ensuring that sensitive and highly regulated data and application workloads could be moved securely to a modern and flexible public cloud platform.
Protecting sensitive intellectual property. The TEE infrastructure can not only guard sensitive data, but can also protect logic processes, machine learning processes, and the inner workings of applications.
Eliminating concerns about cloud providers. Confidential computing allows organizations to select cloud providers without concerns about storing and processing customer data, sensitive assets, and proprietary technology, as well as competitive concerns.
Collaborating securely with partners. Confidential computing allows companies to combine sensitive data, calculations, and processes without revealing any sensitive data or intellectual property that it doesn’t want to share. This makes it possible for teams from different organizations to collaborate to solve mutual problems without making unnecessary sacrifices.
Protecting data processed at the edge. IBM describes edge computing as a, “distributed computing framework that brings enterprise applications closer to data sources such as IoT devices or local edge servers.” With confidential computing, data and applications at the edge nodes can be protected, when used as part of distributed cloud patterns.
1 IBM, 2023, “What is confidential computing?”
2 Fortinet, 2023, “What is confidential computing?”