Confidential Computing Consortium promises data-in-use encryption, researcher warns encrypted traffic remains vulnerable

The movement to address data protection comes as C-level information security executives are spending more of their budgets on securing proprietary data and ensuring privacy while at the same time maintaining data usability.

The cause? Meltdown and Spectre, in particular, are two critical vulnerabilities and security flaws that affected all computer chips made in the last twenty years. If exploited, a malicious program would compromise data believed to have once been protected. The malicious program manipulates speculative execution and caching, which are normally used to make computer chips work faster and boost memory access, by bypassing privilege check and gaining permission to access protected data.

Meltdown and Spectre brought to light the processing layer as an attack surface because the processor is where data is in the clear, meaning traditionally computing methods require the data to be decrypted in order to be used. The focus in cloud and edge computing has been on at-rest and in-transit encryption, but this can be rendered useless if there is a compromise of the processor that is using unencrypted data.

In-use encryption of sensitive data is hard to accomplish, but confidential computing will allow encrypted data processing in memory without compromising it, as well as deliver more transparency for users.

Startups such as Baffle and Enveil are offering the ability to perform functions on encrypted data — the process is called homomorphic encryption. The goal is to do so without affecting performance or having to rewrite code-a tough task. Having a group of companies like those in the Confidential Computing Consortium could help move development forward.

“The earliest work on technologies that have the ability to transform an industry is often done in collaboration across the industry and with open source technologies,” said Jim Zemlin, executive director at The Linux Foundation. “The Confidential Computing Consortium is a leading indicator of what’s to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use.”

The cross-industry community will collaborate on technical open-source projects and open specifications to endorse confidential computing and encourage Trusted Execution Environment (TEE) development. A preliminary organizational structure includes a Governing Board, a Technical Advisory Council, and technical management for each technical project.

Open-source project contributions include Intel’s software development kit that uses protected enclaves at the hardware layer to safeguard code and data, Microsoft Open Enclave SDK that developers can leverage for TEE applications for multiple architectures using a single enclaving abstraction and Red Hat Enarx for hardware independence in securing applications using TEEs.

Can the man-in-the-middle attack still work?

Confidential computing guarantees applications will securely run on public clouds and on the edge. According to Ketan Bhardwaj, Research Scientist II at Georgia Institute of Technology, although TEEs improve the protection level, “encrypted traffic still remains vulnerable to man-in-the-middle attacks” because of “the newly adopted thread model that confidential computing protects against.” Bhardwaj believes “confidential computing solutions are and will remain incomplete.”

He suggests, however, two potential approaches a company can incorporate to secure the cloud and the edge — either replacing the PKI certificates used by TLL with certificates generated in an Intel SGX enclave at the risk of causing latency degradation or “developing transparent TLS extensions that change the TLS handshake between cloud/edge app and a backend component providing TLS-aaS.”

Differentiating from other edge security efforts

Approximately six months ago, the Linux Foundation initiated Project Alvarium, under the LF Edge umbrella, which introduced a trust model dubbed Data Confidence Fabric (DCF). DCF advances the concept of system-level measurable trust insertion in data transfers between devices and applications.

Alvarium’s focus is on system-level trust and data confidence, explained Arpit Joshipura, General Manager of Networking, IoT and Edge and director of the LF Edge project. “It is differentiated in its comprehensive view and in delivering data to applications with measurable confidence by unifying, not reinventing trust insertion technologies and is relevant to all markets and solution stacks,” he said in an email to Edge IR.

Data trust and ownership are the industry’s hottest topics, following the growing interest in IoT and AI data-based funding. If that data cannot be trusted, then it’s probably worth peanuts, which is why building trust fabrics are an essential activity. Diversity of devices at the edge is another reason why it is essential to have an open edge infrastructure that has gained overall trust.

As computing covers multiple environments, confidential computing encrypts workloads using hardware or software-based enclaves (TEEs). Enterprise and consumer technology users alike anxiously wait to see how the most challenging step of them all — encrypting data-in-use — will be addressed to deliver complete encryption for the life cycle of sensitive data.

Article Topics

Alibaba  |  ARM  |  Baidu  |  Google Cloud  |  hack  |  IBM  |  Intel  |  IoT  |  Microsoft  |  Red Hat  |  security  |  Swisscom and Tencent