What You Need to Know About Confidential Computing
By Guy Eisdorfer, the co-founder and CEO of Cognni
These days, “data-driven” isn’t just a convenient buzzword to make your business sound more modern and innovative. For many companies, it’s a way of life. Smart companies use their data to make marketing decisions, refine product designs, streamline operations, and become more effective and competitive within their respective industries.
Unfortunately, the methods companies use to collect and protect this data are often less than perfectly secure, and working with data sometimes inadvertently exposes it to access from unauthorized third parties. As a result, around 400 million individuals had their personal data exposed by breaches in 2022 in the U.S. alone.
The need for better ways to secure sensitive data while still obtaining useful information and insights has given rise to a concept known as confidential computing. Confidential computing is not only a critical part of data protection but the market is expected to grow to $54 billion by 2026. Let’s see why that is and how you can secure your company’s data more effectively.
Most computing isn’t confidential
Confidential computing is a fairly recent development in data security that attempts to address the number one place where that enterprise data is most vulnerable: during processing. Processing involves risk because data stored in the cloud generally has to be decrypted before you can get any insights from it. Unfortunately, because data in the cloud can be accessed through the internet, that decrypted information could end up in the wrong hands.
Just as your home computer has a set amount of storage, processing power, and RAM, cloud providers allocate a certain amount of storage and processing power to each user. There are three main ways the cloud provider allocates those resources: a public cloud model, a private cloud model, or a hybrid cloud model.
In a public cloud, the user is sharing storage resources with other users and the cloud provider is responsible for security. Data processed in the public cloud can be vulnerable to unauthorized access. In a private cloud, the user has full control of the resources and they are not shared with any other parties. In this case, the user organization is responsible for the security of the information. This way, the user organization can put extra walls around data so that it’s less vulnerable to third parties. A hybrid cloud model is one in which a company utilizes both a private cloud and the public cloud.
Even in a private or hybrid cloud model, the cloud provider has access to the data during processing. That means if the cloud provider experiences a breach, you may find that your company’s sensitive data has been exposed. What’s worse, the biggest cloud providers aren’t always the most secure. Just last year there was a massive data breach in the Microsoft Azure data ecosystem, and Google has consistently experienced breaches or suffered major fines for misuse of clients’ data.
Protecting data in use
Here’s where confidential computing steps in to protect data in use, meaning during processing. Confidential computing secures data not only from outside access, but also from cloud providers themselves. In other words, unlike simply putting data in a private cloud, confidential computing puts up walls and a roof over the data to protect it from the top-down view of the cloud provider as well.
These metaphorical walls and roof are called a Trusted Execution Environment (TEE), a section of a computer processor that is separated off to encrypt data in the cloud even during processing. This isolated environment can detect and prevent any hacking, or tampering with the access code, and places the control of your data squarely back in the hands of your organization. The encryption key is specific to the hardware of the processor, making it more difficult to exploit or misplace than a typical digitally-generated key.
If there is any evidence of a third party tampering with the key or trying to gain access, the system will simply stop computing, meaning the data is no longer being processed and remains encrypted. On the other hand, if the processing is uninterrupted and there is no tampering, a TEE can provide confirmation – also known as attestation – that the data has remained private and undisturbed. Considering that up to 56 percent of breaches go undetected for months after they occur, this type of confirmation is extremely useful.
Protecting data in the cloud
Confidential computing protects data while it is in use, but not during transit or while the data is being stored. And there are certain types of attacks that confidential computing simply isn’t designed to address. One example is Denial of Service (DoS) attacks, which involve a malicious actor sending so many requests to a server that the server becomes overwhelmed and crashes, causing the system to shut down or turn away legitimate requests.
Since confidential computing is designed to prevent access but does not prevent outsiders from requesting access, under a DoS attack the system can become overwhelmed by turning away malicious access requests. Which means you need other security measures to protect your data.
There are four things you can do to secure data beyond implementing confidential computing. The first is performing vulnerability audits and penetration testing across your cloud applications. A vulnerability audit looks for ways a hacker or malicious actor might be able to exploit the software to gain unauthorized access. Penetration testing is similar, but it actually simulates an attack to find weaknesses and test how the system responds.
You can also proactively take control of how your employees behave in the cloud environment. A surprising 95 percent of breaches are due to human error, and a lot of that human error comes in the form of incorrectly responding to phishing. Phishing involves a malicious actor sending an email, text, or other message looking for personal information or secure credentials. Often, these emails appear to be from a legitimate organization, so you need to educate your employees on how to recognize phishing attempts and respond appropriately.
The third thing you can do is monitor your data at all stages, whether it is at rest, in transit, or in use. Cloud providers will have options for securing and monitoring data in storage, so your part in this will be to monitor the activity of users for abnormalities. For example, you can set up an alert in case a user accesses the database outside of your company’s normal operating hours.
And finally, you need to have a robust incident response strategy in place for any eventuality. How often do you back up your servers? Do you have a plan for offloading request traffic if a DoS attack occurs? Can you easily change access controls if an account becomes compromised? The answers to these questions will determine just how much business disruption may result from an attack.
Confidential computing is one of many tools you can use to protect enterprise data, but it’s only one portion of a cloud security strategy. Still, if you want to make the most of your data without exposing it unnecessarily to third parties, confidential computing is a good start.
Guy Eisdorfer is the co-founder and CEO of Cognni.
Cognni is a leading AI-powered data classification company, that provides automated information security risk assessments, privileged account monitoring, and other security products to enterprises and SMBs.