How to ensure confidential computing for cloud and edge?


Cloud data center infrastructure now requires virtualization due to the growing popularity of customer-based cloud services. To simulate hardware for various cloud workloads, use virtualization. Each workload is encapsulated for portability and isolated from others so it can only access its resources.

Traditional virtual machines (VMs) run the entire workload concurrently with the kernel in a separate space. Containers and comprehensive workload orchestration engines have been added to the virtualized environment. By sharing an underlying kernel, containers greatly reduce the number of resources required by the workload and boost performance.

Although containers can be useful, security for the underlying platform is even more crucial because flaws in the kernel space and shared layers may be open to widespread exploitation.

Data encryption has been prioritized during storage and use because the virtualized workspace requires more security. Data on disk is protected by at-rest encryption. This safeguards against threats like removing a disk drive and usually refer to an unmounted data store.

Confidential computing, also known as protecting and securing cloud data while in use, makes use of hardware-enabled features to isolate and process encrypted data in memory so that the data is less likely to be exposed to or compromised by other concurrent workloads or the underlying system and platform. This article discusses technologies that can offer secure computing for the cloud and edge.

Memory Isolation

Encryption is a common method for data protection in technology. Most of these solutions concentrate on securing the pertinent data while in transit and do not address the fact that the data is vulnerable when decrypted and used. Applications that run in memory share platform hardware with other workloads and may be vulnerable to attacks from compromised cloud administrators or other workloads using the same hardware. Particularly in cloud data centers and edge computing facilities, there is a strong desire to protect intellectual property and ensure that private data is encrypted and not accessible at any time. Numerous hardware technologies have been developed to encrypt content currently running in platform memory.

Application Isolation

A trusted execution environment (TEE) is used in application isolation to safeguard the memory set aside for a specific application. A TEE is a region or enclave guarded by a system processor and used to store sensitive information such as cryptographic keys, authentication strings, or private or intellectual property-sensitive data. The application’s trust boundary is constrained to the CPU alone.

Instead of just safeguarding particular operations or memory, future iterations of these techniques will allow entire applications to be isolated in their enclaves. Sensitive applications can be shielded from data exposure using separate application enclaves and distinct per-application keys, even from nefarious insiders with access to the underlying platform. It is the responsibility of the developers to ensure secure TEE design when implementing application isolation because this typically involves customer application developers integrating a toolkit within the application layer.

VM Isolation

It is more practical to isolate entire VMs as new memory, and execution isolation technologies become available. Hardware-assisted virtualization and other technologies have already given VMs some isolation, but each VM’s memory is still not encrypted. Some memory isolation techniques today demand the implicit confidence of the virtual machine manager (VMM). Future platform generations’ isolation technologies will enable full memory encryption with per-VM unique keys and remove the VMM from the trust boundary, shielding virtual machines from malicious software running on the hypervisor host and rogue firmware.

Workloads in multi-tenant environments like public and hybrid clouds can benefit from VM isolation. The protection against malicious insiders at the cloud provider, malware exposure, and data leakage to other tenants with workloads running on the same platform can all be achieved by isolating entire VMs. VMs are frequently used as container worker nodes in modern cloud deployments. Regardless of the underlying physical platforms, this offers a highly consistent and scalable method for deploying containers. Full VM isolation enables effective isolation of virtual workers hosting container workloads without compromising the advantages of platform abstraction.

Cryptographic Acceleration

Data center applications are increasingly using encryption as the industry adopts more standards and guidelines regarding the sensitivity of customer data and intellectual property. The industry has adopted specialized hardware interfaces called cryptographic accelerators, which offload cryptographic tasks from the main processing unit onto a different coprocessor chip because cryptographic operations can degrade system performance and use many computing resources. Pluggable peripheral adapter cards are a common form of cryptographic accelerator.