What is Confidential Computing? | Data Security in Cloud Computing | Anjuna

Published on
May 18, 2022
Confidential Computing uses secure enclaves to create a trusted execution environment (TEE) for data security, cloud computing security, and cloud infrastructure security.
https://www.anjuna.io/blog/what-is-confidential-computing

What is Confidential Computing?

Confidential Computing is an approach that uses secure enclave technology to enable the creation of a trusted execution environment (TEE) based on security features provided by CPU vendors. A TEE allows for encryption/decryption within the CPUs, memory and data isolation, and other security features that vary by CPU vendor. Secure enclave technologies form the foundation for Confidential Computing.

Hardware-Grade Privacy on the Cloud and Beyond

The risk of data compromise is massive and persistent. It menaces the trust, the integrity, and the viability of the cloud itself. Computer science has already tackled and overcome the problem of encrypting data at rest in storage and data in transit across the network. But the Gordian Knot remained: how to protect data and code that are actually in use in memory—this goal seemed to be limited by conventional computing architecture itself. Efforts to hide data using software encryption failed. Computing hardware requires encryption keys to be decrypted and exposed in memory before use, leaving them vulnerable to hackers or insiders. 

In response, Confidential Computing innovated an unprecedented, hardware-grade, architectural approach to security through secure enclaves (often used interchangeably with TEEs). Confidential Computing focuses on securing data in use—specifically, by securing memory—to eliminate data’s fatal flaw when unencrypted while being processed.

Eliminating Risk: Building in Data Security and Privacy by Default

As long as data in use lay exposed, sensitive Personally Identifiable Information (PII), financial or health information remained at risk in the cloud. Security entities have struggled to neutralize cyberthreats, but this whack-a-mole game often loses to breach and exfiltration of high-value information. The need is for unmodified workloads—applications and data system memory—to be capable of running anywhere, in any environment, in total isolation from inside and outside attacks. 

Now, Confidential Computing solves this problem of isolating data and execution within a secure space. Using a section of the CPU as a sanctuary or enclave creates a Trusted Execution Environment (TEE). A secure enclave is a memory and CPU-only environment that is isolated from and invisible to all other users and processes on a given host. Within a secure enclave, code can reference only itself.

Secure Enclaves: A Major Advance but Complex to Deploy

Implementing secure enclaves is both complex and costly, requiring the re-architecting of each application. An enclave demands the hands-on participation of engineers and specialists, which raises operating expenses to impractical heights. Each chip and cloud provider created its own enclave solution: Intel SGX, Azure, AMD SEV, AWS Nitro Enclaves, and Google VM. But these efforts, however worthy, created a dizzying field of choices for customers already maintaining on-premises, hybrid, and multi-cloud environments. They face having to learn each respective secure enclave technology, which raises overhead in terms of engineering personnel, time, application performance, and cost.

Neutralizing Unauthorized Insiders and Outside Threats

Fortifying security without reducing IT productivity is a confounding security challenge that the cloud only exacerbated, exposing the problem of limited control over employees and third-party contractors of IT cloud platform providers. Insiders gain host access to perform their jobs, which overexposes them to host data. All it takes to compromise security for an organization is one vengeful, inattentive or opportunistic employee. 

But Confidential Computing shuts down “trusted insider” data exposure and outside threats. It secures exclusive data control and hardware-grade minimization of data risk; data protection is integral to the data itself—no need to rely on weak layers of perimeter security. The data owner controls data any place it is stored, transmitted, or used across the fundamental architecture of IT—compute, storage, and communications.

Anjuna Software: Securing Data by Default

Anjuna Confidential Computing software requires no re-architecting of applications or kernel. Customers needn’t be concerned about the underlying TEE on the chip or cloud infrastructure level. Applications and whole environments work unmodified within private environments created on public cloud infrastructure. Within minutes, Anjuna automatically creates an isolated and ironclad hardware-encrypted environment in which applications run and extends Confidential Computing hardware technologies to protect data—in use, in transit, and at rest.

What Makes Anjuna Unique?

  • Multi-platform and multi-cloud support.
  • Enterprises needn’t be locked into one hardware platform or cloud. Anjuna supports Intel, AMD, and AWS Nitro Enclaves platforms and native Kubernetes Key management solutions in any environment: on-premises, hybrid, or multi-cloud. Execute workloads across any enclave platform without modification.
  • No performance impact.
  • With Anjuna, environments are pre-tuned across all TEE technologies. Because applications don’t have to be re-coded, there’s minimal latency running in the software's isolated environments.
  • Hardened security at scale in minutes.
  • Create an isolated secure environment around each application quickly to significantly reduce the attack surface and protect applications even if the infrastructure is breached.
  • Full-stack coverage
  • Extend protections beyond memory to storage and networks with full-stack encryption of both hardware and software. Data is isolated and completely inaccessible to any other entities while running an application; memory is isolated from anything else on the machine, including the operating system.
  • Transparent data sharing.
  • Anjuna software enables enterprises to use the hardware-root-of-trust on distributed applications by authenticating the hardware within which the secure enclave is running as genuine. This affirms the integrity of enclave memory to a remote party.

Explore These Confidential Computing Use Cases

Secure Cloud-Migration

Migrate applications to the cloud with a security posture that exceeds on-premises protection. Anjuna extends hardened security capabilities provided by Confidential Computing technologies and makes any public cloud the safest place for sensitive enterprise applications and data. No more compromise between cloud economics and robust security. 

Database Protection

Even secured databases store data unencrypted and exposed in memory. Anjuna assures that both the database and its data operate within the secure confines of an isolated private environment. Cryptographically and physically isolating data from malicious processes and bad actors virtually eliminate the chance of a data breach or exfiltration.

Data Protection

Anjuna delivers the strongest and most complete data security and privacy control available. Sensitive data created, processed, stored, and networked is protected with hardware-rooted zero-trust protection, protecting PII from insiders and bad actors throughout its lifecycle. Data is protected by default, including keys, PII, PHI, PCI, IP, proprietary algorithms, trade secrets, etc. 

Crypto MPC & Blockchain Protection

See Yan Michalevsky, CTO and Co-Founder of Anjuna, discuss secure enclaves for blockchain applications, secure storage of cryptographic keys and infrastructure, and challenges in blockchain and cryptocurrency. Anjuna protects MPC applications, digital assets, digital wallets, custodial exchanges, NFTs, and AI/ML algorithms for crypto companies.

Key Management Systems (KMS)

With Confidential Computing, you can now modernize and extend KMS capabilities and shut out access to KMS applications running in isolated environments. Anjuna partners with HashiCorp and Venafi to protect keys and secrets even from attackers with root access from obtaining the authentication credentials.

Hardened DevSecOps

Manual security and audit processes for DevSecOps pipelines can be a primary risk vector for software supply chain compromise. These slow labor-intensive processes can make it challenging to identify pipeline attacks promptly. Using Anjuna to run applications inside secure enclaves provides hardware-based proof of software components’ integrity, protecting the software supply chain more broadly.

More like this
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free