Confidential Computing – Transforming Data Security as We Know It
Author: Richard Searle, Vice President of Confidential Computing @ Fortanix
There is no denying that we are amid an unprecedented data explosion, with some experts projecting a fivefold increase in data volume over the next five years. Data is spread across multiple clouds, SaaS solutions, data warehouses, data lakes and data centers, rendering old security models obsolete.
A significant portion of all this data is sensitive or private, needing higher levels of protection throughout its lifecycle. More and more data is also now regulated around the world, and data stewards are subject to heavy penalties if data is not protected and subsequently compromised. For organizations, this new data context presents a significant challenge.
During its lifecycle, data exists in one of three states – at rest, in motion, and in use. It is common practice to encrypt data when it is either at rest or in motion, but that still leaves data vulnerable when it is being processed in memory.
Protecting data across the three phases of its lifecycle is important for all data, but it is critical for private or sensitive data such as that found within healthcare and financial services industries. Can such data be protected even if an organization’s infrastructure is compromised? The answer is yes…with Confidential Computing.
How Confidential Computing Works
Confidential Computing, as defined by the Confidential Computing Consortium of the Linux Foundation, is the protection of data in use by performing computation in a hardware-based Trusted Execution Environment (TEE). Trusted Execution Environments provide assurance of data confidentiality by encrypting data in memory, and they can support validation of data integrity and code integrity using the property of “attestation”. Using a cryptographic proof of identity, attestation provides evidence, which can be used to uphold compliance or trust requirements, that code or data has not been tampered with, generated by malware, or accessed by unauthorized entities.
Confidential Computing represents a hardware-aided trusted computing method that significantly increases security by protecting data against both internal and external attack vectors. Both private data in use and the intellectual property within application software, such as the hyperparameters within AI models can now be secured at scale within the complex infrastructure employed by modern organizations.
The impact of Confidential Computing is enormous. As organizations increasingly rely on multiple clouds, for example, they can leverage confidential computing to take full control over their data and easily migrate workloads to the cloud without transferring trust to the cloud operator. Collaboration also improves because organizations can securely process data with external partners and customers, while maintaining computational performance and ensuring that private data is never exposed between the collaborating parties.
Crucially, businesses gain the ability to process sensitive data in any environment they choose, including public clouds, on-premises datacenters, and other hosted infrastructure outside the organizational perimeter.
Confidential Computing ultimately creates an elevated level of control over both privacy and security regardless of where the data or application is being used.
Stage Set for Rapid Growth
A recent report from research firm Everest Group forecasted that the Confidential Computing market will grow to as much as $54 billion by 2026, at a CAGR of 90 to 95%.
The adoption of Confidential Computing is already growing rapidly as organizations across a diverse range of industries adopt the technology to meet a variety of needs, including:
- Anonymous and secure analytics on multiple data sets.
- Securing the intellectual property within healthcare AI models.
- Securing confidential blockchains.
- Protecting data while in use for machine learning.
- Containerization security.
- Protection of Function-as-a-Service (FaaS) data.
- Secure cryptographic key management.
Highly regulated industries and those with a need to secure critically sensitive data are not surprisingly the main drivers of confidential computing adoption, with production deployments, today, in healthcare, banking, financial services and insurance, internet-of-things devices, government and defense applications.
A key factor that will drive growth in adoption is Confidential Computing’s ability to enable like-minded organizations to innovate and collaborate without compromising their own data. For example, an organization with a proprietary calculation method could utilize another organization’s sensitive data to perform analysis or create new solutions without either party gaining full access to the other’s private information. This is an important capability offered by Confidential Computing as it does not suffer from the performance penalties observed at scale with Multi-Party Computation and Fully Homomorphic Encryption. In fact, with in memory data encryption, attestation of services, and no requirement for service providers to participate in the privacy scheme, Confidential Computing represents the optimum solution for data and application security in the cloud.
To demonstrate the how Confidential Computing is now being used by some of the largest companies and the most valuable global brands, every day, a couple of real-world examples provide a glimpse of the possibilities and true potential of this groundbreaking technology:
Securing Healthcare Data Privacy within AI
The Translational Genomics Research Institute, known more commonly as TGen, is a non-profit organization that aims to use genetic discoveries to develop advanced diagnostics and therapeutics to improve disease outcomes.
The organization performs pathological research on various aspects of cancer, Alzheimer’s disease, and other medical conditions, and is also involved in a variety of clinical trials.
One of the main challenges TGen has faced in its research is the inadequacy of available data when developing high-quality AI models. Needless to say; ensuring that data is of appropriate quality is essential when performing such high-stakes medical research. The group gained access to key genome patterns from a multitude of sources, but the amount of high-quality data it was able to accumulate often proved insufficient. In some cases, the data wasn’t curated to high enough standards, and in others, the volume of data simply did not support model requirements.
The solution for TGen was not a simple case of going out and finding more datasets; the healthcare industry’s proliferation of data privacy regulations proves a major hurdle to data acquisition. In the USA, for example, HIPAA regulations protect individually identifiable information from impermissible uses or disclosures. To gain access to high-quality data, TGen employed Confidential Computing to process its source genomic data and AI model chain within the European Union. The adopted cloud solution, featuring end-to-end data encryption and data provenance through attestation of services, provided fully auditable compliance with data sovereignty requirements and EU GDPR regulations for the data provider, while ensuring application security for the TGen AI workload.
Combatting Money Laundering
Governments and financial institutions around the world spend billions of dollars annually on anti-money laundering efforts and combating the financing of terrorism. Even so, it isn’t always enough – the UN says trillions of dollars are laundered globally each year, which equates to roughly 2% to 5% of worldwide GDP. Even worse, compliance costs have been found to be up to 100 times greater than the funds that are eventually recovered from criminals.
Enter financial services innovator Consilient. The company actively works to reinvent the costly and, frankly, often ineffective system of battling money laundering with next-generation governance, architecture, and analytics, powered by Confidential Computing.
Specifically, the company’s DOZER™ technology utilizes the science of transfer learning to train machine learning models across multiple sets of private data, to allow financial institutions to collaborate without the risk of data breaches.
Within a federated machine learning (FML) architecture deployed in the cloud, TEEs help isolate and protect sensitive financial data and the intellectual property within the proprietary application code of the DOZER™ algorithms in memory.
Consilient calls this a “leapfrog” approach to financial crime detection and says that it allows financial institutions, regulators, and other authorities to identify ever evolving and increasingly complicated security risks more proactively and efficiently.
The organization enables the sharing of information among institutions that are otherwise siloed, promoting collaboration, real-time feedback, and valuable collective learning. A behavioral-based governance model driven by machine learning allows the algorithm to access and examine datasets across institutions, databases, and jurisdictions without the need to move the data outside of the individual organizations participating in the FML network.
Saying the results returned by this secure solution are significant would be a true understatement. Traditionally, rule-based screening for money laundering has a false-positive rate above 95%, but, enabled by Confidential Computing, the DOZER™ technology’s self-learning capabilities have reduced the false-positive rate to just 12%.
You Can Use Confidential Computing Today
As the technology and availability of Confidential Computing matures, organizations should look for the following key attributes demonstrate by vendors and solution providers, including:
- Experience with real-world deployments. Those with a proven track record of deploying Confidential Computing for mission-critical applications can offer invaluable insight into what works and what does not.
- Strength and breadth of the technical ecosystem. This is vital in an increasingly “multi-everything” world in which data, applications, and infrastructures span across multiple environments.
- Ease of deployment and centralized controls. Confidential Computing’s capabilities should be robust but also quick to deploy for fast time-to-value, with intuitive tooling that is simple to use and maintain over time.
The future truly is now when it comes to Confidential Computing. The technology is proven by its adoption by some of the world’s largest and most innovative businesses and organizations. Yet the technology is still early enough in its implementation to give those who adopt it a distinct competitive advantage as first-movers.
Those who have deployed it for any of the previously mentioned use cases now view it as being indispensable, and over the next decade it should prove to be a transformational advancement in data security and the foundation of tomorrow’s decentralized multicloud domain.
If you would like to discuss Fortanix’s Confidential Computing solutions further, click here.