A secure CPU enclave is used to process sensitive data in the cloud using a technique called confidential computing. The contents of the enclave, including the data being processed and the methods used to handle it, are invisible to and unknown to anyone outside of the permitted programming code, including the cloud provider.
Data privacy in the cloud is crucial as business leaders rely more and more on public and hybrid cloud services. Confidential computing’s main objective is to boost leaders’ confidence in the security and confidentiality of their data in the cloud and to persuade them to migrate more of their sensitive data and computing workloads to public cloud services.
Cloud service providers have long provided encryption services to assist safeguard data in transit and at rest (in storage and databases) (moving over a network connection). By securing data while it is being processed or run, confidential computing closes the last remaining hole in data security.
??? ???????????? ????????? ??????
Data must first be decrypted in memory before it can be processed by an application. This makes the data vulnerable to memory dumps, root user breaches, and other malicious exploits before, during, and after processing.
By utilizing a hardware-based trusted execution environment, or TEE, which is a secure enclave inside a CPU, confidential computing is able to resolve this issue. The TEE is secured using embedded encryption keys; embedded attestation mechanisms ensure that the keys are accessible to authorized application code only. If malware or other unauthorized code attempts to access the keys — or if the permitted code is hacked or altered in any way — the TEE blocks access to the keys and terminates the computation.
Sensitive data can be kept secure in memory in this fashion until the application instructs the TEE to decrypt it for processing. The data is invisible to the operating system (or hypervisor in a virtual machine), to other compute stack resources, to the cloud provider and its personnel during the decryption process and throughout the entire calculation process.
??? ??? ???????????? ??????????
- To extend the advantages of cloud computing to sensitive workloads and to protect sensitive data even while it is in use. Confidential computing removes the single biggest obstacle to moving sensitive or highly regulated data sets and application workloads from an expensive, rigid on-premises IT infrastructure to a more flexible, modern public cloud platform when used in conjunction with data encryption at rest and in transit with exclusive control of keys.
- To defend property intellectual. Data security isn’t the only benefit of confidential computing. The TEE can also be used to safeguard whole programs, machine learning algorithms, analytics features, and unique business logic.
- To securely work on brand-new cloud solutions with partners. A team from one firm might mix sensitive information with secret formulas from another to develop novel solutions, all without disclosing any information or intellectual property that either company doesn’t want to.
- To allay worries when selecting cloud service providers. With confidential computing, a business executive can select the cloud computing services that best satisfy the technical and operational needs of the organization without worrying about storing and processing sensitive information such as customer data, proprietary technology, and other sensitive assets. If the cloud provider also offers rival business services, this technique also helps allay any further competition worries.
- To safeguard information processed at the edge. A distributed computing system called edge computing puts business applications closer to data sources like IoT gadgets or regional edge servers. Confidential computing can be utilized to secure the data and applications at edge nodes when this framework is applied as a component of distributed cloud patterns.