Why IBM believes Confidential Computing is the future of cloud security

More than a decade into the cloud computing era, the most pressing demand for migrating data and applications has largely been met. To convince companies to put even more core functions and sensitive data in the cloud, a wide range of companies are pushing for a new standard that would guarantee more profound levels of security and privacy.

Dubbed “Confidential Computing,” this standard moves past policy-based privacy and security to implement safeguards on a deeper technical level. By using encryption that can only be unlocked via keys the client holds, Confidential Computing ensures companies hosting data and applications in the cloud have no way to access underlying data, whether it is stored in a database or passing through an application.

“This is part of what we view as unlocking the next generation of cloud adoption,” IBM CTO Hillery Hunter said. “It’s very much about getting clients to look not just at the first really obvious consumer mobile app kind of things to do on a public cloud. There’s a second generation of cloud workload considerations that are more at the core of these businesses that relate to more sensitive data. That’s where security needs to be considered upfront in the overall design.”

In its most recent report on the “Hype Cycle for Cloud Security,” Gartner identified Confidential Computing as one of 33 key security technologies. The firm noted that companies cite security concerns as their top reason for avoiding the cloud — even as they become convinced of its broader benefits.

Confidential Computing is intriguing because it allows data to remain encrypted even as it’s being processed and used in applications. Because the company hosting the data can’t access it, this security standard could prevent hackers from grabbing unencrypted data when it moves to the application layer. It would also theoretically allow companies to share data, even between competitors, in order to perform security checks on customers and weed out fraud.

That said, implementing Confidential Computing isn’t easy. Gartner projects it will be 5 to 10 years before the standard becomes commonplace.

“Even for the most reluctant organizations, there are now techniques such as Confidential Computing that can address lingering concerns,” Gartner senior analyst Steve Riley said in the report. “You can stop worrying about whether you can trust your cloud provider.”

To push this development along, the Linux Foundation announced the Confidential Computing Consortium in December 2019 The open source project brought hardware vendors, developers, and cloud hosts together to create open standards that would ensure this new generation of security products could work together across cloud providers. Founding companies included Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat.

“Driving adoption of technology is facilitated by open standards,” Hunter said of IBM’s decision to join the effort.

Google announced its first suite of Confidential Computing products in July — another sign of the momentum building behind this concept.

IBM and Confidential Computing

“Confidential Computing” may be new for IBM, but the company has been building products that embrace these principles for several years now. Almost a decade ago, it became clear that every layer of cloud computing needed to be better protected if customers were going to put the bulk of their mission-critical data online, according to IBM LinuxONE CTO Marcel Mitran.

“We recognized many years ago that there were some key inhibitors in that space around dealing with sensitive data,” he said. “You have this gentleman’s agreement with the cloud provider that they can host your sensitive data in the cloud and they promise not to touch it, they promise not to look at it, and they promise not to do bad things with it. But the reality is that at the end of the day, a promise is only a promise. There are bad actors out there. People make mistakes.”

With enterprise customers needing more assurance, IBM and others began developing ways to ensure protection on a technical level. IBM began providing some of that technical assurance in 2016 with its blockchain platform, an architecture essentially conceived to facilitate data exchanges between two parties that don’t trust each other.

After some initial success, the company began investing in more Confidential Cloud services, releasing its Cloud Hyper Protect Services and IBM Cloud Data Shield in 2018.

Hyper Protect Cloud Services uses hardware and software to offer FIPS 140-2 Level 4 security, while Cloud Data Shield lets developers build security directly into cloud-native applications.

“These services really aim to solve the end-to-end needs of posting a cloud application or a cloud-based solution in a public cloud while maintaining confidentiality,” Mitran said. “We can offer guarantees that at no point in time can the cloud host scrape the memory of those applications, and we can technically prove that our virtual server offering guarantees that level of privacy and security.”

Offering that level of security across the entire computing process has helped IBM attract a growing array of financial service companies that are becoming more comfortable placing sensitive customer data in the cloud. The company now offers IBM Cloud for Financial Services, which relies on Hyper Protect. Last year, Bank of America signed up for this service and to host applications for its customers.

While financial services are an interesting target for Confidential Computing, the same is true of any heavily regulated industry. That includes health care, as well as any companies trying to manage privacy data requirements such as GDPR, Hunter said.

Earlier this year, IBM struck a deal with Apple that touches on both of those elements. The companies announced Hyper Protect iOS SDK for Apple’s CareKit, the open source framework for iOS health apps. Cloud Hyper Protect is baked in to ensure underlying data is encrypted where it’s being used. Martin said this partnership is a good example of how Confidential Computing is making it easier for developers to take a security-first approach to creating applications.

“In the context of the Apple Care Kit scenario, you’re literally talking about adding two lines of code to the application to get a fully managed mobile backend security,” he said. “That’s the epitome of agility and security coming together.”

Even though Gartner describes Confidential Computing as still in the early stages, potential customers have heard of the concept and are increasingly intrigued. Many are also experiencing greater pressure to move to the cloud as the pandemic accelerates digital transformations across sectors.

These companies want to know that security will be addressed right from the start.

“Because of the increased concern that everyone has for cybersecurity and because of COVID, the world has changed in terms of the urgency of moving to the cloud,” Hunter said. “But in terms of risk appetite, everyone has also realized that they need to do that very cautiously. We think Confidential Computing is really well-positioned to provide solutions that are needed for that next wave of cloud adoption.”

Source: Read Full Article