Data-in-use Protection: Your New Privacy Defense


Posted on by Mike Bursell

Protecting the confidentiality of Personal Identifiable Information (PII) and other sensitive data has never been more critical. With legislation efforts from California Consumer Privacy Act (CCPA) to General Data Protection Regulation (GDPR), and the attention of auditors and regulators, organizations are increasingly cyber-aware and under an enormous amount of pressure to protect sensitive data. Deploying data-in-transit and data-at-rest encryption for network and storage solutions provides peace of mind but fails to address the third state of data: The one where data is actually being processed: data-in-use. Whether it is AI models, healthcare data, cryptographic keys, financial records, or simply one of the types of customer data requiring protection under the various new state, national, and international regulations, failing to protect data throughout its entire lifecycle is becoming indefensible to major stakeholders.

The Challenge

Standard computing and virtualization - in the Cloud, on premises, at the Edge and in IoT - provides no protection against compromised or malicious machines and administrators. To address these concerns, Nelly Porter, Director of Product Management at Google said, “By providing a secure and privacy-preserving foundation we enable breakthroughs and collaborations that were previously impossible due to data privacy concerns in everything from AI innovation to fintech and medical applications.” Once your applications and data are in memory, they are accessible to anyone with sufficient access, and you have no way of controlling access in most environments. A new set of technologies under the general title of Privacy-Enhancing Technologies (PETs) provide protection for data while it is in use, using a variety of techniques. Porter added, “Our mission in Confidential Computing is to empower organizations to harness the full potential of their data, while protecting sensitivity and adhering to regulatory policies.”

The Solution: Confidential Computing

Confidential Computing is the most widely available and deployed of these PETs, but as Jesse Schrater, Principal Engineer, Confidential Computing Practice Lead at Intel "It allows applications to execute in Trusted Execution Environments (TEEs) - areas of memory isolated by a processor (e.g. the CPU or a GPU) and perform all their computation on data protected from other processes. This isolation extends not just to other user processes, but to the hypervisor, the system kernel, and even administrators on the machine, meaning that even if the system is completely compromised, the application and its data are still protected."

Collaboration

Confidential Computing is defined as the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment (TEE).

This hardware protection is assured with the addition of remote attestation, which provides cryptographic measurement and verification of the contents of the TEE. According to Manu Fontaine, Founder and CEO, Hushmesh, “Confidential Computing is foundational to re-imagining zero-trust collaboration across the internet.” It also allows for new models of collaboration between organizations and business units as you can now know both what application is executing in a TEE, and also that it cannot be tampered with, as its operations can be proved to be hidden even from the owner or operator of the system and machine on which it is executing. Fontaine noted, “While the Web was architected with no built-in security, Confidential Computing enables verifiable cryptographic security from the silicon up. The ultimate vision is to secure all data exchanges between any two parties, at global scale." These properties allow data sharing applications to operate on standard hardware without major refactoring or significant performance slowdowns, as TEEs impose a small speed penalty.

Examples of shared or collaborative computing include pharmaceutical research, banking reconciliation, healthcare record management, genomics calculations, and fraud detection, and Raluca Ada Popa, Associate Professor, CS, UC Berkeley and Co-Founder, Opaque Systems said, “We’re at a critical juncture where privacy-protecting technologies have to keep up with the massive leaps forward in generative AI and LLMs.” The Confidential Computing Consortium empowers conversations among all of today’s stakeholders, any context where two or more parties can benefit from pooling data for analysis, but where maintaining the privacy of that data is paramount.

Industry Adoption

All the major Silicon Valley vendors provide CPU or GPU hardware which supports Confidential Computing, and all the major cloud service providers (CSPs) allow you to run Confidential Computing workloads on their hardware. According to Vini Jaiswal, Principal Developer Advocate and Open Source, Tik Tok, “As a key privacy-enhancing technology, confidential computing empowers us to better safeguard users' information, contributing to the broader effort towards a more secure and trustworthy digital ecosystem. Solutions from low-level programming projects to standalone applications and container-deployment frameworks are available to allow organizations of any size and industry to start using Confidential Computing.

Conclusion

The Confidential Computing Consortium - the industry body for Confidential Computing, and a part of the Linux Foundation - exists to increase adoption of the technology and to promote open-source projects that use it. It represents all parts of the Confidential Computing ecosystem, from silicon vendors to hyper-scalers, end users to start-ups. The CCC is proud to be exhibiting at RSA Conference, as are a number of its members.

 


Contributors
Mike Bursell

Executive Director, Confidential Computing Consortium

Privacy

data security Consumer Identity Artificial Intelligence / Machine Learning cloud security Internet of Things government regulations hackers & threats

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs