In conversation with Richard Searle, VP of Confidential Computing at Fortanix, and a seasoned expert in complex systems engineering and AI-driven data discovery. Holding a Doctor of Business Administration degree from Henley Business School at the University of Reading, Richard is a recognized thought leader in the implementation of Confidential Computing.
As a General Members' Representative to the Governing Board and Chair of the End-User Advisory Council of the Confidential Computing Consortium of the Linux Foundation, Richard is dedicated to advancing the field and sharing his knowledge. He is driving the deployment of Fortanix's Confidential Computing technology to secure sensitive data and applications in the cloud.
Confidential Computing provides a new level of protection for data and applications by enabling organizations to process and analyze data while keeping it encrypted and secure, even when it is being used. In this interview, Richard will provide valuable insights into the technical and business aspects of Confidential Computing and share his thoughts on the future of this technology.
This interview will help executives, IT leaders, and security professionals learn more about Confidential Computing and how organizations can use the technology to secure sensitive data in the cloud.
1. How does Confidential Computing ensure that data remains protected even when being processed?
Here are some methods of Confidential Computing that protect data while processing:
- Trusted Execution Environments (TEEs): Using hardware-based TEEs, Confidential Computing creates a safe and isolated environment for running sensitive code and applications. This protected memory region, or "enclave," is isolated from the rest of the system. Data and code stored in this enclave are encrypted in memory.
- Encryption: Encryption algorithms can encrypt data before processing, with data decryption taking place within the TEE before processing. By isolating plaintext data inside the TEE, where it cannot be accessed from outside, the confidentiality of sensitive data and any intellectual property contained in the application software are protected while in use.
- Secure Memory: Allocated memory, only accessible by the TEE, is encrypted to ensure that data cannot be recovered through attack vectors such as memory scraping or via root user access.
- Access Control: Access controls based on certificated permissions derived from the underlying hardware attestation can be used to restrict access to data secured in TEEs by other programs or users. These access controls can be designed to enforce varying levels of access depending on the sensitivity of the data.
2. How does Confidential Computing tackle the trust issue in cloud computing, especially for ensuring data privacy and security?
Confidential Computing addresses the issue of trust in cloud computing by providing a secure computing environment for sensitive data processing that is separated from the components of the computing base that are accessible to the cloud provider.
Cloud providers typically manage the underlying infrastructure and hardware, and as a result, customers must trust that their data is secure and will not be accessed by unauthorized parties.
Confidential Computing leverages hardware-based security features to provide a secure and isolated environment for data processing, the integrity of which can be verified prior to the deployment of any data. This ensures that sensitive data encrypted at rest and protected by secure communication protocols in transit can also be protected in use, even when using an untrusted infrastructure. This security setup locks out cloud vendors, preventing access to the data, and ensures that organizations have met all the compliance requirements applicable to cloud infrastructure.
By providing a trusted computing environment, Confidential Computing enables organizations to maintain the confidentiality and integrity of their sensitive data in the cloud, claim complete data ownership, and reduce the risk of data breaches and other security incidents.
One area where this is potentially useful is preventing access to data by a third party in the event of a subpoena of the cloud provider. In this case, the data owner can retain control of encrypted data and associated cryptographic keys.
3. How does Confidential Computing address the challenge of securing data in multi-party scenarios, such as in consortiums or shared cloud environments?
There are many instances where data owners would like to leverage their data assets in combination with those held by a third-party organization. This type of collaboration is critical in developing accurate AI/ML models for applications in fields such as medical diagnosis and financial crime prevention. However, data protection regulations and compliance requirements often stifle innovation, as data cannot be shared outside the organizational boundary.
Confidential Computing now provides an effective method for data collaboration by providing the isolation guarantees necessary to train AI models using federated machine learning, or by enabling secure data marketplaces. Under both implementations, data can be safely analyzed without any risk of disclosure to an untrusted party.
Confidential Computing can support deployment across extensible multicloud and hybrid infrastructures, providing the scale and flexibility of applications currently unavailable using other privacy-enhancing technologies (PETs).
Confidential Computing can ensure compliance with prevailing data protection regulations and organizational policies. It can also serve as a source of innovation and revenue generation by enabling new uses for data assets previously siloed within organizations and their customer and supply chain networks.
4. Can you walk us through a real-life scenario where Confidential Computing can be used to protect sensitive information?
Consider a healthcare consortium in which multiple providers want to combine patient data for research purposes while protecting their patients' privacy. Healthcare providers want to collaborate and analyze data to find insights that can help improve patient care and clinical outcomes.
However, they must also adhere to regulatory provisions such as HIPAA privacy and security rules in the US and EU GDPR obligations. Consequently, each organization must protect patient privacy and ensure that only authorized parties can access the data as per their respective regulatory undertakings.
Healthcare providers can use Confidential Computing to accomplish compliance while enabling active collaboration. They can use a secure enclave to store and process patient data securely, using TEE attestation to verify that data was protected in use.
Each healthcare provider can encrypt their data and process it securely within the enclave, with only researchers having access to specific data or analytical outputs via authenticated and encrypted channels.
Without seeing sensitive patient information, the researchers can run analytics and algorithms on the combined data available from the collaborating organizations. The secure enclave provides a trusted environment that ensures data confidentiality and integrity while protecting against malware, rootkits, and insider threats.
Furthermore, remote attestation can validate the enclave's security and ensure it has not been compromised. This can help build trust among healthcare providers by ensuring that the enclave runs the correct software and has not been tampered with. The provenance of system outputs can also be checked based on the attestation of the source process.
5. How does Fortanix help organizations implement Confidential Computing and ensure its effective use in their specific environment?
Fortanix offers a set of RESTful APIs and development tools that allow developers to integrate Confidential Computing into their application pipelines. Fortanix provides a Rust-based SDK for Intel® SGX called Enclave Development Platform™ that enables secure applications to be developed from scratch.
Existing applications can be easily converted to support TEEs using our tooling, abstracting the implementation of Confidential Computing from the application developer or data scientist. This enables organizations to implement Confidential Computing without having to rewrite their entire application stack or internalize expertise in the underlying security technology.
Fortanix offers a cloud-based management console that allows businesses to manage their secure computing environments centrally. Monitoring and reporting tools and the ability to configure and manage security policies across multiple environments, provide seamless integration of data-at-rest encryption with data-in-use protection. TLS communications prevent access to data on the wire during transfer to or from Confidential Computing applications.
Fortanix offers several pre-built integrations with major cloud providers such as AWS and Microsoft Azure. This makes it simple for organizations to deploy Confidential Computing environments in their preferred cloud environment and helps them take advantage of cloud computing's scalability and flexibility.
Fortanix also supports compliance and certification by providing tools that allow businesses to ensure that their Confidential Computing environment meets industry standards and local regulatory requirements. This includes compliance with HIPAA, EU GDPR, and PCI DSS regulations where they are applicable.
6. How can organizations incorporate Confidential Computing into their data security strategies?
- Identify sensitive data: This first step will ensure that gaps in current data security are identified and addressed. Data benefitting from processing using Confidential Computing could include Personally Identifiable Information (PII), protected healthcare information (PHI), intellectual property, or data subject to national security provisions.
- Assess risks: Recognize the risks associated with processing and storing the data in untrusted environments, including existing networks where perimeter security has been shown to be vulnerable to modern cyberattacks. Appropriate risk management policies can help determine the level of protection required by specific workloads and define a roadmap for adopting Confidential Computing as an enhanced data security measure.
- Choose a hardware platform: There are several different implementations of Confidential Computing supported by Fortanix, and the selection of the right hardware platform could be based on existing infrastructure, support for specific use cases, or the conditions necessary for compliance with industry standards and regulations.
- Plan the implementation: Once you have defined the use cases for the deployment of Confidential Computing, you are ready to train your staff, configure infrastructure, and deploy the technology within your application and data analytics pipelines.
- Test and evaluate: Test the platform for vulnerabilities, performance issues, and industry standards and regulations compliance.
- Monitor and maintain: Perform regular audits, updates, and maintenance tasks to keep the platform secure and up to date. Confidential Computing should form an integral part of the arsenal that can defend against modern cyber threat actors and unauthorized data breaches – it should be used in conjunction to establish best practices across all areas of data security.
7. How can decision-makers educate themselves and their teams about the benefits and best practices of Confidential Computing?
Fortanix has provided various resources for decision-makers to engage with Confidential Computing. We have a free "Confidential Computing for Dummies" eBook available to download from our website and numerous datasheets and case studies documenting how Confidential Computing can be implemented.
Where decision-makers want to see the technology in action, Fortanix provides trial access that supports rapid evaluation of our products and solutions or self-managed proof-of-concept deployments. Fortanix can support customer evaluation of Confidential Computing, and we have comprehensive documentation available for customers to refer to.
8. Can you offer advice or recommendations for organizations looking to get started with Confidential Computing and securing their sensitive data in the cloud?
I advise organizational stakeholders to contact Fortanix through our cloud partners or sales representatives. Fortanix can then provide guidance on Confidential Computing deployment and work with the customer and their preferred cloud service provider to quickly demonstrate the business value and data protection provided by our technology.
Confidential Computing technology is available directly through cloud marketplace offers via our partners and can be deployed immediately using your cloud subscription, with standard interfaces and APIs. To support the decision-making process, we recommend organizational stakeholders engage with the trial versions of our software that we have made available for proof-of-concept activities.
9. How does Fortanix envision Confidential Computing evolving to meet the changing needs of businesses and society regarding data privacy and security?
- Expansion of Use Cases: As organizations seek to protect data throughout its lifecycle, from creation to deletion, we anticipate a significant increase in the breadth and depth of Confidential Computing use cases. This growth in use cases will be driven by Confidential Computing being seen as an immediate solution to increasing data protection regulations and as a source of competitive advantage, where the technology enables business innovation and provides assurance for end-customers.
- Standardized Interfaces: New technical standards will emerge, allowing for seamless integration with other technologies and improved interoperability and ease of use. Organizations can reap the benefits of Confidential Computing as their requirements change while ensuring compatibility with existing systems and workflows.
- Hardware and Software Advancements: Creation of new hardware-based security features, enhancements to software-based encryption and key management, and faster performance for complex computations will increase the utility of Confidential Computing.
- Collaboration and Partnerships: Working collaboratively, organizations can leverage their distinct strengths and capabilities to develop robust and effective Confidential Computing solutions that meet the changing needs of businesses and society.
Overall, Fortanix believes that Confidential Computing will become ubiquitous in the near term and will play a vital role in ensuring data privacy and security. Fortanix is committed to driving innovation and progress in this area through ongoing research, development, and collaboration. We look forward to continuing to support our existing customers and helping our future customers adopt this important data security technology.