My IBM Log in Subscribe

What is confidential computing?

4 June 2024

Authors

Mark Scapicchio

Content Director of Inbound and SEO for IBM.com

Matt Kosinski

Writer

What is confidential computing?

Confidential computing is a cloud computing technology that protects data during processing. Exclusive control of encryption keys delivers stronger end-to-end data security in the cloud.

Confidential computing technology isolates sensitive data in a protected CPU enclave during processing. The contents of the enclave, which include the data being processed and the techniques that are used to process it, are accessible only to authorized programming codes. They are invisible and unknowable to anything or anyone else, including the cloud provider.

As company leaders rely increasingly on public and hybrid cloud services, data privacy in the cloud is imperative. The primary goal of confidential computing is to provide greater assurance to leaders that their data in the cloud is protected and confidential, and to encourage them to move more of their sensitive data and computing workloads to public cloud services.

For years, cloud providers have offered encryption services to help secure data at rest (in storage, databases and data centers) and data in transit (moving over a network connection). Confidential computing eliminates the remaining data security vulnerability by protecting data in use during processing or runtime. Data is protected at every stage of its lifecycle.

Man looking at computer

Strengthen your security intelligence 


Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter. 


How confidential computing works

Before it can be processed by an application, data must be unencrypted in memory. This leaves the data vulnerable before, during and after processing to memory dumps, root user compromises and other malicious exploits.

Confidential computing solves this cybersecurity challenge by using a hardware-based trusted execution environment (TEE), which is a secure enclave within a CPU. The TEE is secured using embedded encryption keys; embedded attestation mechanisms ensure that the keys are accessible to authorized application code only. If malware or other unauthorized code attempts to access the keys, or if the authorized code is hacked or altered in any way, the TEE denies access to the keys and cancels the computation.

This way, sensitive data can remain protected in memory until the application tells the TEE to decrypt it for processing. While the data is decrypted throughout the entire computation process, it is invisible to the operating system, the hypervisor in a virtual machine (VM), to other compute stack resources and to the cloud service provider and its employees.

Mixture of Experts | 28 March, episode 48

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.

Why use confidential computing?

To protect sensitive data even while in use and to extend cloud computing benefits to sensitive workloads. When used together with data encryption at rest and in transit with exclusive control of keys, confidential computing eliminates the single largest barrier to moving sensitive or highly regulated data sets and application workloads from an inflexible, expensive on-premises computing environment to a more flexible and modern public cloud ecosystem.

To protect intellectual property. Confidential computing isn't just for data protection. The TEE can also be used to protect proprietary business logic, analytics functions, machine learning algorithms or entire applications.

To collaborate securely with partners on new cloud solutions. For example, one company's team can combine its sensitive data with another company's proprietary calculations to create new solutions while maintaining data confidentiality. Neither company has to share any data or intellectual property that it doesn't want to share.

To eliminate concerns when choosing cloud providers. Confidential computing allows a company leader to choose the cloud computing services that best meet the organization's technical and business requirements, without worrying about storing and processing customer data, proprietary technology and other sensitive assets. This approach also helps alleviate any additional competitive concerns if the cloud provider also provides competing business services.

To protect data processed at the edge. Edge computing is a distributed computing framework that brings enterprise applications closer to data sources such as IoT devices or local edge servers. When this framework is used as part of distributed cloud patterns, the data and application at edge nodes can be protected with confidential computing.

The Confidential Computing Consortium

In 2019, a group of CPU manufacturers, cloud providers and software companies—Alibaba, AMD, Baidu, Fortanix, Google, IBM® and Red Hat®, Intel, Microsoft, Oracle, Swisscom, Tencent and VMware—formed the Confidential Computing Consortium1 (CCC) under the auspices of The Linux Foundation.

The CCC's goals are to define industry-wide standards for confidential computing and to promote the development of open source confidential computing tools. Two of the Consortium's first open source projects, Open Enclave SDK and Red Hat Enarx, help developers build applications that run with or without modification across TEE platforms.

However, some of today's most widely used confidential computing technologies were introduced by member companies before the formation of the Consortium. For example, Intel SGX (Software Guard Extensions) technology, which enables TEEs on Intel Xeon processors, has been available since 2016. IBM has confidential computing capabilities generally available with its IBM Cloud® virtual and bare metal servers.

Related solutions

Related solutions

Data security and protection solutions

Protect data across multiple environments, meet privacy regulations and simplify operational complexity.

    Explore data security solutions
    IBM Guardium

    Discover IBM Guardium, a family of data security software that protects sensitive on-premises and cloud data.

     

      Explore IBM Guardium
      Data security services

      IBM provides comprehensive data security services to protect enterprise data, applications and AI.

      Explore data security services
      Take the next step

      Protect your data across its lifecycle with IBM Guardium. Secure critical enterprise data from both current and emerging risks, wherever it lives.

      Explore IBM Guardium Book a live demo
      Footnotes

      Confidential Computing Consortium, The Linux Foundation