| | APRIL 20259CIOReviewWith application of Confidential Computing techniques, device management ceases to be a best-effort affair, because the designated portions of each device can now be assessed and fully trustedThe first and most obvious application is to Zero Trust. With application of Confidential Computing techniques, device management ceases to be a best-effort affair, because the designated portions of each device can now be assessed and fully trusted. Since each device is guaranteed to tell the truth about its state and patch level, misconfigurations can be detected and remediated with perfect accuracy. Beyond just code and configuration, you can be guaranteed that each device you manage is provisioned with exactly the secrets and policies you designate, no matter where in the world that device is located, and regardless of whose possession it is in. And best of all, any device can be attested ­ whether you own or manage it, or someone else does.Looking another way, Confidential Computing ensures that access to data is granted only to specified code, never to any other actor - human or otherwise. When used in the cloud, this capability enables mutually distrustful institutions to collaborate on highly sensitive datasets without revealing the portions of the overall data they own to each other, or even to the Cloud Service Provider. The parties, such as a bank and a hospital, agree on the code that should see the data (such as machine learning models), and only that code will ever be able to access the complete dataset, not the individual data administrators on either side. Without Confidential Computing, such scenarios used to require algorithmically cumbersome and latency-heavy solutions known by names such as Secure Multiparty Computation or Fully Homomorphic Encryption. In contrast, Confidential Computing executes code written in any language, on commodity hardware, and at near-native speeds and can benefit from dramatic speedups when using confidential GPUs. This means that your developers can start using Confidential Computing immediately, and with little retraining.Confidential Computing does not stop there. Indications are that it opens up significant additional areas of innovation. Sensors incorporating its tamper-resistant properties can be trusted like never before, enabling new capabilities ranging from traffic management to crop insurance in poorly governed jurisdictions. Blockchain smart contracts can use it to generate unforgeable proofs of execution. There has been academic research into a new cryptographic primitive called a "Sealed Glass Proof", with applications to verifiable computing, commitment schemes, and zero-knowledge proofs.From the architectural and regulatory perspective, Confidential Computing completes the trifecta of data protection: with it, the data remains protected at-rest using storage encryption and in-flight using network encryption, but is now additionally safeguarded while in-use on the CPU or GPU where it is accessed. It is therefore entirely reasonable to expect that, as has happened with data-at-rest and data-in-flight before it, once this new technology is deployed at-scale, it will graduate from anovelty feature to a compliance requirement for regulated institutions.To be sure, the technology is still emerging and far from mainstream. However, every cloud provider of note ­ Microsoft, Amazon, Google, but also IBM and Oracle, already has offerings in this space. If you are purchasing hardware directly, you can look at solutions from Intel (SGX, TDX), AMD (SEV-SNP), ARM (CCA), as well as confidential GPUs from NVidia. If you develop your own hardware and need to get started quickly, open frameworks such as Keystone exist to help with that task as well.It is a good idea for enterprise security architects to start familiarizing themselves with Confidential Computing and ways of bringing it into their environments. In a world of constantly evolving threats, Confidential Computing offers truly revolutionary and highly robust protections that are designed to integrate with existing systems.
< Page 8 | Page 10 >