Confidential Computing Consortium Formed To Protect Processed Data
A new Confidential Computing Consortium was announced on Wednesday by the Linux Foundation to boost the security of processed data.
The consortium is focused on the security of data used by service providers, as well as data processed in local datacenters or "edge computing." Typically that data gets encrypted at rest and in transit by service providers, but it typically does not get encrypted when it's in use. The Confidential Computing Consortium plans to focus on this latter security issue when data get processed in memory, which is considered the "most challenging" security step to address.
The consortium's efforts will foster an open trusted solution for the problem, promised Jim Zemlin, the Linux Foundation's executive director.
"The Confidential Computing Consortium is a leading indicator of what's to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use," Zemlin stated in the Linux Foundation's announcement.
Participants committed to the project include "Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent," per the announcement.
As part of the effort, some of the consortium's participants have already contributed code to support "enclaves" or Trusted Execution Environments (TEEs). A TEE is used to protect the processed data and can be either hardware- or software-based.
For instance, Intel is contributing its Software Guard Extensions (SGX) Software Development Kit to the project, where SGX is a hardware-based protection scheme. Microsoft is adding its Open Enclave SDK for developers to create applications that use TEEs. Intel SGX and Arm TrustZone security technologies already work with Open Enclave. Red Hat is offering its open source Enarx project, which also provides application development support for TEEs.
Proprietary Data Protection
The security of data processed in memory isn't just a problem for service providers, but it's a concern for some organizations that use public "clouds," or the datacenters of service providers, to run their workloads. They'll be able to use enclaves to protect their data, according to Lorie Wigle, an Intel vice president and general manager of Platform Security Product Management.
"Companies that wish to run their applications in the public cloud but don't want their most valuable software IP [intellectual property] visible to other software or the cloud provider can run their proprietary algorithms inside an enclave," Wigle wrote in an Intel announcement. "Multiple untrusted parties can share transactions but protect their confidential or proprietary data from the other parties by using enclaves."
The consortium's confidential computing efforts also will add better security for "training multiparty dataset machine learning models" and executing confidential queries, according to Mark Russinovich, Microsoft's chief technology officer, in an announcement. He also suggested it would help protect proprietary protocols used in edge computing, as well as processed "customer information and billing/warranty logs."
"Future applications will generate more powerful understanding of industries' telemetry, more capable machine learning models, and a new level of protection for all workloads," Russinovich said, but it'll require having "confidential computing hardware" and "new attestation" to make it work securely, he added.
Microsoft had initiated its own Azure confidential computing effort a couple of years ago. Back then, Microsoft noted it was working with Intel on its SGX technology, and it had its own software-based TEE called "Virtual Secure Mode," based on Microsoft Hyper-V hypervisor technology in Windows 10 and Windows Server 2016. Microsoft later renamed this software-based TEE as "Virtualization Based Security." Azure confidential computing became available as a public preview release late last year and currently has its own landing page.
Wigle noted that the Confidential Computing Consortium isn't prescribing the hardware to be used for TEEs. Instead, it's "initially focused on common programming models and enclave portability" efforts.
Consequently, the aim seems to be to ease matters for developers at this point.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.