The Benefits of Confidential Computing for Government Agencies

This blog was originally published by Anjuna here.

Government agencies occupy a unique position when it comes to protecting data. Unlike private enterprises, which include proprietary ownership, profitability and competitive advantage in their goals, a government agency is responsible for safeguarding public safety and continuity. This mission relies heavily on securing the integrity of data; in other words, the stakes couldn’t be higher.

For government agencies, moving to the cloud transcends optimizing revenue and calculating cost versus risk. Lives and national security are on the line; nation-state adversaries are poised to detect and exploit vulnerabilities. International economic viability also depends on the impregnability of systems and sensitive data. And, as always, a government agency is responsible to the public for wise allocation of often limited funds.

Along those lines, the high cost of on-premises infrastructure is a major economic factor impelling government agencies to embrace the superior scale, economy, agility, and efficiency of the public cloud. For agencies, siloed data infrastructure and data sprawl often challenge smooth cloud migrations and also raise the issue of duplicated data that can send cloud costs spiraling.

But security is the most intense concern for public agencies when moving vital workloads across the cloud. Data migration can be a high-risk process with numerous vulnerabilities, including incomplete data migration, corrupt or missing files, accidents, phishing, malware, or ransomware.

Confidential Computing Secures Exposed Data—at Rest, in Motion, and in Use

Confidential computing is a new technology that takes on the persistent Hard Question of how to secure data in the public cloud. This hardware-based innovation is founded on a new architectural approach that isolates data and execution within a secure space on a system. It uses a section of the CPU as a sanctuary or enclave, relying on virtualization to create a Trusted Execution Environment (TEE).

Why does this approach solve the Hard Question? While data is usually encrypted at rest and in transit, it must also be protected while in use (being processed). Confidential computing does just that; it encrypts memory within the enclave with a key unique to the CPU and the application. Only at that location can data be decrypted.

This way, the data attack surface at the cloud provider level no longer offers access to a potential threat actor. Even should a threat actor gain root access to the system, they are still incapable of reading the data. And these controls extend across the entire landscape of data exposure, whether storage, over the network, or in multiple clouds. Data encryption and resource isolation protect all of the fundamental elements of IT—compute, storage, and communications.

Confidential computing enables:

• Prevention of unauthorized access
• Regulatory compliance
• Secure and untrusted collaboration
• Isolated processing

Thus, confidential computing offers exclusive data control and hardware-grade minimizing of data risk by making protection inseparable from the data itself. Eliminating data vulnerability enables a new, secure hosted IT infrastructure founded on the confidential cloud.

Now, applications and even whole environments can work unmodified within a confidential cloud formation. The data owner is in exclusive control of the data anyplace it is stored, transmitted, or used. Thanks to the massive capabilities of today’s computer processors, a server can encompass up to 1 TB of enclave memory—enabling an entire application, database or transaction server to fit within the secure enclave.