Big tech companies aim to boost cloud security with Confidential Computing Consortium

Big tech companies aim to boost cloud security with Confidential Computing Consortium
Credit: CCC

Some of the biggest names in tech have banded together in an effort to promote industry-wide security standards for protecting data in use.

The initiative — dubbed Confidential Computing Consortium (CCC) — has Alibaba Cloud, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent as its founding members.

It was formally launched yesterday at the Linux Foundation’s Open Source Summit in San Diego, California.

What is confidential computing?

“Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users,” the group said in an announcement.

In doing so, the technology will allow organizations to securely collaborate on multi-party data sets and gain shared insights without giving access to that data.

“There are three types of possible data exposure to protect against,” said Mark Russinovich, CTO of Microsoft Azure. “One is data at rest and another data in transit. The third possible exposure … is data in use. Protecting data while in use is called confidential computing.”

The need for a trust infrastructure

One of the core tenets that underpins confidential computing is the broader use of secure enclaves (aka trusted execution environment or TEE), which refers to an area within a processor that ensures confidentiality and integrity of code and data.

Solutions like Intel Software Guard Extensions (SGX) SDK, Microsoft Open Enclave SDK, and IBM Red Hat Enarx — which are all being contributed to the CCC — help protect sensitive software and data from being modified by malicious actors that may have broken into the target (virtual) machine.

In fact, end-to-end encrypted messenger Signal employs SGX to securely determine whether contacts in your address book are Signal users without revealing the contact information to the Signal service.

Apple and Google, likewise, leverage a TEE — called security enclave processor and Titan M respectively — in their phones to store confidential on-device data, including passwords and payment information.

Where is Asylo?

A surprising no-show is Google’s Asylo framework, which the search giant’s cloud platform announced last year to develop applications that run in TEEs. But, in its current form, the solution still appears to be a work in progress (it’s at version 0.4).

Also absent are the company’s recent privacy-focused efforts like Federated Learning and Private Join and Compute.

Federated learning is an on-device machine learning technique that offloads computation to the device as opposed to storing the data in the cloud — a paradigm of edge computing — while the latter refers to a cryptographic method that helps organizations work together with confidential data sets in a privacy-preserving manner.

The way forward

The CCC comes at a time cloud adoption is accelerating at a rapid pace, with risks from data loss and leakage emerging the top concerns.

Cybersecurity firm Check Point’s 2019 Cloud Security Report last month cited unauthorized cloud access and account hijacking as some of the major cloud vulnerabilities, while stressing the need for stronger authentication mechanisms to safeguard users against such stealth attacks.

There’s no doubting the potential of confidential computing. As organizations increasingly shift to the cloud, the need for keeping data private all the way from the edge to the public cloud calls for a platform-agnostic solution that allows developers to create software that can be deployed across different TEEs — an area CCC hopes to nurture.

“The earliest work on technologies that have the ability to transform an industry is often done in collaboration across the industry and with open source technologies,” said Linux Foundation’s Jim Zemlin. “The Confidential Computing Consortium is a leading indicator of what’s to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use.”

Read next: US government knows you’re buying opioids with Bitcoin — and it doesn’t like it