The Growth of Confidential Computing
Jan 13, 2020
Beyond creating and deploying software, security should be the biggest focus of technological development. No matter how cool something is, if it isn’t secure, if it cannot protect the information it contains, it will ultimately fail – or be the subject of enough major lawsuits that it will be shut down or have to disappear.
The confidential computing initiative is coming to help improve the situation for use cases in which the software or data is either highly classified – basically, any situation in which the content of the memory needs to be hidden, whether the content is data or executable code.
The main approaches to confidential computing implementation today are hardware or software based.
· Hardware: Intel SGX, AMD SME, Arm Trustzone, etc.
· Software: Leveraging hardware memory management and virtualization capabilities
Both, of course, can be leveraged within cloud, on-premise, or hybrid environments. Why is this important?
The software, virtual memory-based isolation – implemented by the kernels or the hypervisors – has been available since the ‘90s but it is not perceived as effective enough;hence this new confidential computing trend has emerged, aiming to achieve better isolation and resilience results using the virtualization.
Two fundamental challenges exist that confidential computing should address – very sophisticated hardware attacks (e.g. side channel attacks, power analysis attacks) and software vulnerability, which is, and will remain, the weakest and the easiest to exploit link.
Among hardware-based approaches, the Intel SGX-based isolation is significantly more functional and more advanced. In addition to the memory isolation, it provides two crucial capabilities – remote attestation and unique cryptographic key(s).
The remote attestation is intended to cryptographically prove to remote software that the software undergoing the attestation is indeed executed in the isolated mode. The unique cryptographic keys can be obtained only by the hardware-authenticated code.These capabilities are necessary to design robust solution architecture and keep sensitive information safe at rest, in transit, and in use.
We can anticipate exponential growth of confidential computing methodologies, given the ever-increasing need.
Even though this technology is an important step toward safer digital space, building the right tools and the right architectures around the confidential computing has yet to come. Confidential computing memory isolation does not protect against software vulnerabilities. Therefore, the most critical issue is whether the infrastructure vendors and security solutions providers can apply the strong confidential computing protection to existing software components and architectures without the need to re-design and re-build.
Hope you found our content interesting. We always appreciate getting feedback and discussing our ideas, please feel free to drop us a line, we make sure to answer everyone [email protected]