Why Every Business Should Prioritize Confidential Computing

COMMENTARY

Most data leaks happen when data is in a vulnerable state — while in use or during processing. This vulnerability can compromise industries like finance, healthcare, government, and defense, where confidentiality is crucial. Innovation and collaboration in the software industry can also be impaired. However, sustainable solutions, such as confidential computing, encrypt and protect sensitive data during processing, reducing the risk of unauthorized access.

As the head of emerging technologies, I started working with confidential computing a couple of years ago. Through my research and hands-on projects, it became clear to me that confidential computing has immense potential to significantly enhance security for vulnerable industries, as it secures data in use.

Three Reasons Why Businesses Should Consider Confidential Computing

1. Complying with regulations and avoiding penalties

Several compliance requirements and regulations, such as the General Data Protection Regulation (GDPR), mandate strong data protection throughout its lifecycle. This ensures organizations implement security measures appropriate to data processing risks. Newly proposed compliance standards explicitly insist on securing data in use as well. In January 2023, the Digital Operational Resilience Act (DORA) introduced Article 6, emphasizing data security for financial institutions by mandating encryption for data at rest, in transit, and in use, where relevant.

The same is also true for the healthcare industry. The Health Insurance Portability and Accountability Act (HIPAA) mandates administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI), including securing data during processing.

Confidential computing's ability to secure customer and transaction data is a boon for industries like finance and healthcare that are constantly under scrutiny for data security. It guarantees adherence to these regulations by using hardware-based secure enclaves to isolate sensitive data and computations and protect data in use. This prevents unauthorized access during data processing and enables organizations to avoid hefty fines and penalties by meeting regulatory guidelines like GDPR and the California Consumer Privacy Act (CCPA). The technology could help healthcare and retail platforms comply with standards like HIPAA and PCI-DSS.

In addition, confidential computing helps maintain credibility and fosters innovation and collaboration. This potential for innovation could be a powerful differentiator for any industry. 

2. Securing public cloud-based infrastructure

Public clouds are vulnerable to malicious attacks. In 2023, the pharmaceutical industry lost an average of $4.82 million due to cyberattacks, highlighting the demand for better privacy and data protection. Infrastructure-level multitenancy segregates computing instances and introduces problems such as noisy neighbors and hypervisor vulnerabilities, potentially leading to unauthorized data access and advanced malware attacks.

To secure public cloud environments, organizations must trust the cloud provider's host OS, hypervisor, hardware, firmware, and orchestration system. Confidential computing uses trusted execution environments (TEEs) to address these security concerns and establish protected memory regions or security enclaves. Its remote attestation ensures workload integrity by making private data invisible to cloud providers and preventing unauthorized access of system administrators, infrastructure owners, service providers, the host OS and hypervisor, or other applications on the host.

Scalability and elasticity are other key benefits of cloud computing. Most applications and workloads run on virtual machines or containers, with modern architectures favoring containers. Confidential computing offerings allow existing VM or container-based applications to be migrated without code changes by lifting and shifting the workload. I successfully piloted this approach to improve GitOps security for a client, migrating the CI/CD pipeline from public runners to confidential computing environments. 

Confidential computing enhances security and is also likely to reduce the barrier to cloud adoption for security-demanding workloads.

3. Adopting AI/ML and GenAI securely

In a recent Code42 survey, 89% of the respondents of the respondents said that new AI tools are making their data more vulnerable. AI models require a continuous influx of data, making them prone to attacks and data leaks. Confidential computing addresses this by protecting training data and securing sensitive datasets during both model training and inferencing. This technology ensures that AI models only learn from authorized data, providing enterprises with full control over their data and enhancing security.

There are still gaps in concepts and use cases in generative AI (GenAI), but they are not deterring companies from adopting a measured and incremental approach to rolling out GenAI. GenAI models learn from various inputs, including prompts and training data. While interacting with other GenAI tools like observability and monitoring, packaging, DevOps and GitOps tools, etc., they can unintentionally expose or transmit unauthorized information.

Such possibilities have prompted countries to launch regulations for better privacy. Confidential virtual machines (VMs) and containers are effective solutions. We experienced this firsthand when a client opted to deploy retrieval augmented generation (RAG) GenAI, ensuring adherence to data locality and confidentiality requirements. The solution was implemented using a local LLM and operational tools, including locally set up data stores and tools. The process ensured the confidentiality of the prompts and LLM responses.

Conclusion

Cloud environments are quite lucrative, as they provide better agility and wider access to computing resources at a reduced costs. Despite these advantages, both public and private clouds are susceptible to data breaches. Confidential computing addresses this issue by safeguarding data in use, making it a crucial component of cloud security. Additionally, it helps companies comply with the regulatory requirements. As 5G and AI technologies advance, confidential computing will become even more accessible and effective.