Securing cloud tech stacks with zero trust will drive growth of confidential computing – VentureBeat

For enterprises to realize the potential that real-time datasets can deliver, cloud tech stacks need hardening with zero trust. In this, confidential computing is essential to securing data at rest, in transit and in use.

VentureBeat spoke with CIOs from banking, financial services and insurance industries who say they are at various stages of piloting confidential computing to see how well it handles their compliance, regulatory reporting and real-time auditing of data transactions. Notably, compliance and support for zero trust frameworks are emerging as the killer apps.  

One CIO who spoke on condition of anonymity said that their board of directors’ team assigned to risk management wants to see proof that data is secured during use within protected CPU enclaves and Trusted Execution Environments (TEEs), two foundational elements of confidential computing.

Board members on risk management teams recall Meltdown and Spectre vulnerabilities that target processors that rely on branch prediction and advanced speculative actions. CIOs and CISOs say boards need to see pilot data and simulated attacks thwarted before they go into production with confidential computing. 

Based on period pilots that VentureBeat is briefed on, it’s clear that confidential computing strengthens zero trust in multicloud tech stacks on which highly regulated businesses rely on. Compliance, privacy, and security use cases, particularly on public cloud, have gained the most significant traction, accounting for 30 to 35% of the worldwide market, according to Everest Groups’ report Confidential Computing: The Next Frontier in Data Security. And, the confidential computing market is predicted to grow to $54 billion by 2026. 

What is confidential computing?

Confidential Computing is a cloud computing technology that secures data during processing by isolating sensitive data in a protected CPU enclave. The contents of each enclave, including the data and analysis techniques, are only accessed with authorized programming codes, remaining invisible and protected from external access.

Confidential computing is gaining momentum because it provides greater data confidentiality, data and code integrity than current security technologies protecting cloud tech stacks and infrastructure. 

The Confidential Computing Consortium (CCC) is instrumental in promoting and defining confidential computing across the industry. The CCC is a Linux Foundation project that combines the efforts of hardware vendors, cloud providers and software developers to help increase the adoption and standardization of TEE technologies.

TEEs protect proprietary business logic, analytics functions, machine learning (ML) algorithms and applications. Founding members include Alibaba, Arm, Google, Huawei, Intel, Microsoft and Red Hat. The CCC defines confidential computing as protecting data in use by computing in a hardware-based TEE. 

Compliance a growth driver

What’s working in confidential computing’s favor with boards is how effective it is at ensuring regulatory compliance. It’s also proven to be effective at enforcing end-to-end security and least privileged access to data at rest, in transit and in use. CIOs and CISOs tell VentureBeat that they expect confidential computing to be complimentary to their Zero Trust Network Access (ZTNA) frameworks and supporting initiatives.

John Kindervag created zero trust and currently serves as SVP for cybersecurity strategy and is a group fellow at ON2IT Cybersecurity. He is also an advisory board member for several organizations, including to the offices of the CEO and president of the Cloud Security Alliance. 

He recently told VentureBeat that “the biggest and best-unintended consequence of zero trust was how much it improves the ability to deal with compliance and auditors.” And, he said that a Forrester client called and informed him how perfectly aligned zero trust was with their compliance and audit automation process. 

Securing cloud tech stacks with confidential computing

Mark Russinovich, CTO and technical fellow of Microsoft Azure writes that: “Our vision is to transform the Azure cloud into the Azure confidential cloud, moving from computing in the clear to computing confidentially across the cloud and edge. We want to empower customers to achieve the highest levels of privacy and security for all their workloads.”

Cloud platform providers endorsed and began integrating CCC’s requirements into their product roadmaps as early as 2019, when the CC was formed. What’s guiding cloud platform providers is the goal of providing their customers with the technical controls necessary to isolate data from cloud platform operators, their operators, or both.

Microsoft’s Azure confidential computing is considered an industry leader because their DevOps teams designed the platform to go beyond hypervisor isolation between customer tenants to safeguard customer data from Microsoft operator access. 

CIOs and CISOs have identified to VentureBeat what they’re looking for when it comes to a baseline level of performance with confidential computing. First, remote attestation needs to be proven in live customer sites with referenceable accounts willing to speak to how they are using it to check the integrity of the environment. Second, trusted launch workflows and processes ideally need to be cloud-based, in production, and proven to validate virtual machines starting up with authorized software and continuous remote attestation to check for customers.

Silicon-based zero trust is the way

Martin G. Dixon, Intel fellow and VP of Intel’s security architecture and engineering group writes that, “I believe the zero trust concepts shouldn’t stop at the network or system. Rather, they can be applied down inside the silicon. We even refer to infrastructure on the chip as a network or ‘network on a chip.’”

Part of that vision at Intel included the need for attestation to become more pervasive and portable to fuel confidential computing’s growth, starting at the silicon level. 

To address this, the company introduced Project Amber, whose goals include providing independent attestation, more uniform, portable attestation and improved policy verification.

“With the introduction of Project Amber, Intel is taking confidential computing to the next level in our commitment to a zero trust approach to attestation and the verification of compute assets at the network, edge and in the cloud,” Greg Lavender, Intel’s CTO said at the company’s Intel Vision conference last year.

He continued that Intel is focused on “extending attestation services in the cloud data center in the edge computing environments to provide unprecedented security. The Intel Software as a Service offering Project Amber is a trusted service solution that will provide organizations with independent verification and trustworthiness of customer assets no matter where they run.”

Getting silicon-based zero trust security right needs to start with TEEs hardened enough to protect sensitive data at rest, in transit and in use. Migrating zero trust into silicon also strengthens authentication and authorization, taking identity and access management (IAM) and privileged access management to the hardware level, which makes it harder for attackers to bypass or manipulate authentication systems and improves the security of confidential computing environments.

Additional benefits of moving zero trust into silicon include encrypting all data and ensuring a higher level of data integrity and applying zero trust principles to data encryption and authentication. With zero trust frameworks requiring continuous security configuration and posture validation for all users and devices, supporting monitoring in silicon will reduce the overhead on cloud platform performance.