Over the past few years, the major public cloud providers have made a tacit admission: Data entrusted to their services is not as safe as it should be. To address this vulnerability, they’ve created a new offering – “confidential computing” – as a method for isolating sensitive data while it is being stored and, more importantly, used.
Confidential computing does in fact function as a method for protecting data in use, which is where the big gap in data protection today lies. Unfortunately, it has a number of limitations that make it far from ideal for this purpose.
A brief history of confidential computing
While execution may differ from one provider to the next, the basic concept behind confidential computing involves creating what is in essence a dedicated environment for isolating client or customer data and data processing. This isolation can be virtual, but typically it is physical, relying on dedicated hardware
Microsoft’s description of confidential computing lays out the general idea:
Confidential computing is the protection of data-in-use through isolating computations to a hardware-based trusted execution environment (TEE). While data is traditionally encrypted at rest and in transit, confidential computing protects your data while it’s being processed. (emphasis added) A TEE provides a protected container by securing a portion of the hardware’s processor and memory. You can run software on top of the protected environment to shield portions of your code and data from view or modification from outside of the TEE.
The major providers have all developed their own proprietary approaches and there are even competing claims as to who came up with the idea first. In an effort to create some common standards for this confidential computing, a coalition of cloud, software, and hardware providers – including Microsoft, IBM, Google, Red Hat, VMware, Intel, AMD, Facebook and Alibaba – formed the Confidential Computing Consortium in August 2019. Amazon, notably, did not join the coalition although it offers its own confidential computing service through AWS.
New issues posed by confidential computing
Prices are not widely advertised, but it’s clear that confidential computing is more expensive than other cloud-based compute resources due to the extra effort, including dedicated hardware, required to isolate the content. Cost aside, access to confidential computing services are limited for the time being. As of September 2020 , for example, Google had yet to make its own confidential computing service generally available.
Cost and availability are relatively minor issues in the grand scheme of things, however, since confidential computing brings with it a whole laundry list of challenges:
- There are basic operational issues that constrain the scalability of this approach. Trusted execution environments need to be created for each specific use case, adding time, effort, and cost whenever an organization needs to extend protection to a new database.
- The proliferation of instances poses IT management issues as teams struggle to move data and maintain visibility across all these confidential environments. At the same time, confidential computing tends to create new data silos at a time when many organizations are focused on eliminating them.
- Given that the different providers have different solutions, data sharing between organizations becomes difficult. The coalition hopes to address this issue through open source projects, but when the largest public cloud provider in the world (AWS) isn’t part of the collective effort, compatibility between different offerings will remain limited into the foreseeable future.
A better approach to protecting data in use
What makes more sense is a single solution that provides the protection that confidential computing offers – that is, effective encryption of data at rest, in transit, and in use – but without the complexities and limitations. Rather than only protecting some of an organization’s data, why not protect all of it with a comprehensive solution free of the operational and collaborative problems confidential computing imposes?
A solution that works with data wherever or however it’s stored facilitates secure data sharing between organizations or entities. By avoiding the need for special, dedicated hardware to isolate data, costs can be kept lower. And issues of scale and performance can be avoided by using existing cloud infrastructure, rather than trying to deal with an endless series of essentially one-off deployments.
That’s what we had in mind when creating our solutions – providing all the benefits of confidential computing with none of the headaches. We offer an encryption solution that protects data throughout its lifecycle, wherever it’s located. A centralized solution that is readily deployed and easily integrated with existing platforms, Sotero can encrypt data down to the field level.
No data silos, no collaboration obstacles, no operational headaches, and robust, role-based access controls as an added layer of operational isolation. Doesn’t that sound better already? We view our security solution as the necessary step towards achieving an organization’s privacy goals. There is no privacy without security.
Want to learn more? Schedule a demo now.