The value of confidential computing for edge applications

When protecting data, people tend to think about one of two states -- the rest state and the transport state -- both of which can be encrypted or tagged to protect them. But what about the data that's being used? What about the data that is analyzed by algorithms or viewed by corporate employees? What happens if the data being used resides in an edge or iot environment, which is often uncontrolled?

In some cases, companies can protect data in use just as they would other physical and digital infrastructure. They can limit physical access to their offices and have access to myriad tools to detect cyber security threats to their computers, servers or cloud deployments. These measures come in handy, for example, when a real-time analytics platform is used to monitor exception logs in deployed applications, or when batch analytics market data is used to better understand customer trends.

But a growing number of companies are not only deploying more devices on edge devices, they are also requiring those devices to do more computing, such as running machine learning (ML) algorithms on incoming sensor data to make autonomous decisions. For example, if a device on a remote machine reaches a potentially hazardous state, it may automatically take the system offline. Edge devices are often located in remote locations or in public environments and are almost impossible to monitor and secure as standards-published data centers.

Which begs the question: But as more and more computing takes place on the fringes, how will companies protect the data they are using from dangerous snoops?

Protect data and confidential computing in use
One possible solution is secret computing, which uses special hardware to isolate some or all of the data, specific functions, and even the entire application from the rest of the system. This hardware creates a trusted execution environment (TEE, sometimes called an enclave) for data, functions, or applications that cannot be viewed by the rest of the operating system -- even with a debugger and even if the operating system itself is compromised. TEE refuses to run any modified code, such as injecting malware.

Confidential computing ensures that in-memory information is secure not only from cyber security threats, but also from third parties responsible for other critical tasks that run an enterprise's infrastructure, such as public cloud providers and their employees.

More and more public cloud providers are offering confidential computing, but the growth is slow because of the complexity of implementing reliable TEE in tightly controlled hardware and software relationships. But when it works, confidential computing can help businesses protect their data and make better use of sensitive workloads, no matter where they may be collected and stored.

The value of bringing confidential computing to the edge
Secret computing at the edge is still in its relatively early stages, but its clear value in these insecure and unstable environments is not in doubt.

Security with flexible air-gap hardware: Companies operating in highly regulated environments simply cannot deploy edge computing without confidential computing -- the risk of data loss and cyber attacks is too great. But with TEE to protect their workloads, they suddenly have new opportunities to collect real-time data, monitor their operating environment, or provide more depth and context to their customers.

Securely sharing data with partners: Confidential computing can isolate specific portions of sensitive data sets based on who is observing the data, allowing multiple stakeholders (even in different companies) to view relevant portions of shared data. Industrial operations allow manufacturers who build their machines to access specific sensor information without exposing any proprietary information.

Protection algorithm or other intellectual property rights: a confidential calculations, a software development company created one for complex computing the edge of the ML algorithm, can now in the TEE to protect their proprietary code, in the TEE, nobody - even the trust of customers, it helps to look "black box", find out how it works.

Some companies don't want to know, collect, or store certain things about their customers or partners. Secret computing, whether on the edge or in the data center, provides hardware-level assurance that everyone will only see what was designed for them.

What gets in the way of edge secret computing?
If this technology is so powerful, why isn't it applicable to all cloud and edge environments? Why is it not the default?

As mentioned earlier, developing hardware TEEs is an extremely complex task. IBM Cloud, Azure, and Google Cloud Platforms all offer a degree of confidential computing, thanks to cpus such as AMD EPYC™ SECOND-generation cpus and Intel Xeon cpus that offer Intel SGX(Software Protection Extension) technology. But these are still special VMs, not standard computing environments.

The Confidential Computing Alliance (CCC) was also formed in 2019 to define industry standards and promote open source tools. Support from big industry players such as AMD, Google, IBM and Red Hat, Intel, Microsoft and VMware, although it is releasing a software development kit (SDK) and Red Hat Enarx-an open source framework to run applications in TEEs-all deployment above takes place outside the consortium.

All of this means that secret computing on the edge still has a long way to go before widespread adoption, but now is a good time to familiarize you and your team with the new framework and software development process. Try them out, apply them in the public cloud of your choice, and prepare for a secret future at the edge.