Sovereign cloud is emerging as a preferred choice for many organizations to run their critical activities due to the evolution of data governmental law enforcements. Confidential computing is identified as one of the technologies required in the implementation of sovereign clouds. CYSEC offers a confidential computing-based solution of protection of VMs deployed on untrusted clouds. CYSEC offering can help you to quickly adopt confidential computing in your cloud sovereignty journey.
Sovereign clouds are becoming more and more important for public and private organizations due to recent geopolitical events forcing industry and regulators to strengthen their security standards. As described in Deloitte whitepaper on cloud sovereignty, this concept covers a broad set of aspects of data protection and controls. Within the large toolbox that organizations need to exploit to implement cloud sovereignty, Deloitte has identified confidential computing as one of the technologies allowing a better control on data sovereignty by limiting the need for agreements with third parties.
The confidential computing protects the data in-use, i.e. while data is stored in volatile memories. The protection of data in-use comes as a complementary protection with respect to the protections of data at rest (stored in persistent storage such as database) and of data in transit between nodes. The aim of confidential computing is to protect data of one data owner with respect to other shareholders executing code on the same processing unit, including the host in the case of a shared infrastructure. The activation of confidential computing is requested by a data owner to its host. This technology comes with a cryptographic attestation capability that allows the owner to verify the activation of data in-use protection and the integrity of its code. As described in a recent blog from Paul O’Neill (Intel), confidential computing provides a technical solution in several use-cases of data sovereignty going from the sensitive intellectual property, such as AI, in untrusted cloud infrastructure to the secure collaboration between untrusted parties.
On top of CYSEC’s ARCA Trusted OS, a Linux-based micro distribution hardened operating system designed to create trusted computing based for sensitive applications, CYSEC is working on a solution aiming at addressing one use-case related to sovereign clouds: the protection of the data of a VM with respect to its cloud host. This solution is deployed on a IaaS and provides hardware-based cryptographic isolation between the team operating the infrastructure service and the team running business services on top of it. This provides one of the technical bricks needed by organizations that want to implement sovereign clouds.
CYSEC solution consists in the combination of encryption of data in-use and data at rest with keys that are not accessible by the host. Furthermore, CYSEC offers the verification of the integrity of the OS at boot time from remote to assess the trustworthiness of the execution environment in which applications run. Therefore, the host cannot get access to the user data by directly reading the memories where it is stored nor by tampering with the OS. For more technical information about what CYSEC develops, you can read our blog on our attested VM launch protocol.
A major benefit of combining ARCA Trusted OS with CYSEC’ s attested VM launch protocol is to dramatically reduce the hardware root of trust to its bare minimum: the CPU. This opens new perspectives in terms of decoupling the infrastructure from the trusted environment where companies operate. If you have any questions on or want to test our confidential computing solution for the protection of a VM in untrusted clouds, please contact us at email@example.com.