Confidential Computing is all about data security, specifically about the scenario of 'data-in-use'.
As far as data security is concerned, there are 3 scenarios where the data is secured:
- Data at rest - For example: when data is stored in hard-disk or when data is stored in database - there are possibilities of data encryption. So, even if the hacker has copied the data from the hard-disk, the data is encrypted.
- Data in transit - For example: when data is transferred across network. Hackers might be able to listen to the data in transit, but it is encrypted, using TLS protocols.
- Data in use - For example: when data is being processed. When data is being processed, it is present in memory. So, the case is that, even if data is encrypted in hard-disk, still when it is used for computation, it is going to be decrypted and the decrypted data is present in memory.
- Confidential computing is the protection of data-in-use through isolating computations to a hardware-based trusted execution environment (TEE).
- While data is traditionally encrypted at rest and in transit, confidential computing protects your data while it’s being processed.
- A TEE provides a protected container by securing a portion of the hardware’s processor and memory.
- You can run software on top of the protected environment to shield portions of your code and data from view or modification from outside of the TEE.
The TEE’s ability to offer safe execution of authorized security software, known as ‘trusted applications’ (TAs), enables it to provide end-to-end security by protecting the execution of authenticated code, confidentiality, authenticity, privacy, system integrity and data access rights. Comparative to other security environments on the device, the TEE also offers high processing speeds and a large amount of accessible memory. The primary purpose of the isolated execution environment, provided by the TEE, is to protect device and TA assets.
Originally published at https://gansai.blogspot.com/2020/07/cloud-security-what-is-confidential.html