What is confidential computing?

As the digital transformation continues to accelerate around the globe, security and privacy have struggled to keep pace.

Encryption only goes so far. It can prevent unauthorized eyes’ viewing and using sensitive data while it’s in storage and during transmission. But while that data is being processed in a CPU – “in use” — it is vulnerable, because it’s not encrypted during that time. Thwarted by encryption, hackers are now focusing their efforts on breaching data during this time, when it’s exposed.

Digitizing alone isn’t enough to transform business processes in today’s privacy-focused world. Encryption technologies, too, need transforming. For a growing number of enterprises, confidential computing is bridging the encryption gap.

Encryption: An ancient technique

Encoded text and invisible ink have kept messages private for thousands of years, dating back at least as far as the Roman Empire. During World War II, for instance, the stage star Josephine Baker smuggled information written in invisible ink on her sheet music to Resistance leaders.

Cryptography is a given in any situation involving secrecy, such as information passed during wartime.

Encryption works in much the same way. Your assets are “invisible” – or, at least, indecipherable — while it sits in the cloud or your data center, as well as while it’s traveling through the cybersphere.

But the moment any message is decrypted, it becomes visible. The user, whether a person or an application, can see it. So can anyone or anything looking over the user’s virtual shoulder — a hacker, perhaps, or malware lurking in your system.

The new kid on the security block

With an expected compound annual growth rate of up to  96.5% thought 2026, confidential computing is poised to become one of the hottest trends in cybersecurity, especially in high-risk sectors including finance and healthcare.

Consumers’ and regulators’ growing focus on data privacy is one reason why companies are embracing confidential computing. The near-ubiquitous technology shift from on-premises data centers to cloud environments and to the edge is another.

And then there’s the high, and continually rising, cost of breaches: from 2020 to 2021, the cost of a data breach, on average, rose from $3.86 million USD to $4.24 million USD – the most in 17 years, according to a survey of 17 countries by the Ponemon Institute.

Confidential computing explained

Confidential computing puts the “confidential” back into computing, where it belongs – and where it used to be when we kept our files and data on the company’s premises.

Today, much of that information sits in the cloud. Without firewalls or physical barriers to thwart intruders, running workloads and storing data in the cloud can make it more vulnerable to unauthorized access. Yes, there are ways to secure cloud environments, but weaknesses creep in: coding errors, unsecure passwords, and other problems.

Encryption is key to protecting our in-cloud data, but that method has long had weak spots, too. Until now, encryption has worked only on data “in transit,” or en route from one device or environment to another; or in storage (“at rest”). While data was “in use,” or being processed, it could not be encrypted, or the user wouldn’t be able to see it.

Attackers exploit this vulnerability using a variety of techniques:

  • CPU-side-channel attacks, in which malicious actors observe a computer processor’s operations to unlock encryption keys, passwords, and other security algorithms that they can use to gain unauthorized access to data
  • Malware injection to control systems, exfiltrate data from them, or hold them hostage
  • Memory scraping, in which malware extracts all the contents of point-of-sale systems’ memory and intercepts credit card data while it’s being processed and transmitted. One widely known example is the December 2013 Target breach, which affected as many as 40 million cardholders.

Confidential computing uses encryption to protect data even while it’s in use or being processed. Rather than encoding the data per se, confidential computing sequesters it in a Trusted Execution Environment (TEE) that requires a secret code, or encryption key, to enter.

And if an unauthorized viewer should get the key? The best confidential computing uses “zero-trust” protocols to authenticate the user, and blocks those who don’t fit the criteria from unlocking the data.

Keep data secure: the Trusted Execution Environment (TEE)

TEEs work as a kind of invisibility cloak for data. Co-processors within a main processor, TEEs are secured via encryption keys. Various forms of authentication ensure that only users or applications equipped with the proper authentication code can access the information within.

Even after the application or user has gained access, the data and code loaded in the TEE remain invisible to everyone and everything outside this TEE, including the cloud provider, virtual machines, and operating systems.

TEEs protect all three elements essential to data security:

  • Data confidentiality: Unauthorized entities cannot view data in use within the TEE.
  • Data integrity: Unauthorized entities cannot add, remove, or alter data in use within the TEE.
  • Code integrity: Unauthorized entities cannot add, remove, or alter code executing in the TEE.

How confidential computing is used

Every industry that processes sensitive information such as employee, client and customer data; proprietary product design; medical records; auditing and accounting records; payment records; and other limited-access data is a candidate for CC. Use cases include:

  • Blockchain. Enclaves are useful for permissioned blockchains by allowing nodes participating in the network to verify “secret” content, but without having the right to view this content in clear.
  • Data sharing. Collaboration among enterprises can’t happen without data sharing, often of private or regulated information, such as, in healthcare, sharing of clinical trial and Real World Data, or observational data that healthcare providers collect during their routine clinical practice. Encryption conceals that data while it’s en route from one enterprise to another; confidential computing keeps it secure while it’s being viewed and processed.
  • Multi-party analytics. Analyzing data from many sources provides superior results. For example, when banks pool their data they can more easily spot fraud; scientists can get better research results; and marketers can better understand what customers want and how better serve them. Homomorphic encryption allows analytical computations to be performed on encrypted data. While this technique is already reducing the risk of exposing sensitive data during analysis, confidential computing allows a faster and more scalable solution for large datasets by protecting the processing of unencrypted plain data.
  • Edge and internet-of-things (IOT) devices. Using confidential computing in IoT and edge devices as well as in back-end systems means that the data being communicated back and forth can’t be tampered with, which helps to ensure smooth functioning of autonomous vehicles and other edge-processing technologies.
  • Secure intellectual property. Confidential computing can be used to protect intellectual property as well as data privacy. It can secure code and the inner workings of entire applications. While data security is always a top priority, proprietary program methods can be just as valuable. This is especially true when a process is critical to increasing an organization’s efficiency or providing a service that no one else can provide. The company can use confidential computing in the cloud without fear of a competitor’s stealing a key component of its offering.
  • Artificial intelligence (AI) and machine learning (ML) modeling. To train AI and ML. you need data. Lots and lots of data. Data should be secured throughout training, whether the information is aggregated in one location or, in the case of federated learning, among different nodes. Confidential computing is probably the next big thing to protect these datasets and the business logic.

What’s next: How to prepare for the confidential computing revolution

Gartner says that 85% of organizations will be “cloud-first” by 2025. Migrating to the cloud means that companies no longer own the infrastructure, inherently increasing the risk of exposure since it cannot be directly controlled by them. Confidential computing removes this barrier, empowering organizations to protect their workloads and assets, even in public clouds.

Confidential computing is catching fire among a growing community of tech companies and tech users, thanks in part to the Confidential Computing Consortium. Formed in 2019 by the Linux Foundation, which is dedicated to open-source technologies, this open-source group of technology companies – including CYSEC — works together to develop, adopt, and promote TEE technologies and standards. Other members include Google, Microsoft, and Intel.

Joining the consortium is a great way to get ahead of the confidential computing curve – it’s a smart measure to prepare for the day when confidential computing will be expected of every organization. Other measures include

  • Think ahead: Begin developing a plan for implementing confidential computing in your enterprise. Which applications access sensitive information? Prepare now to encode them for processing information within a TEE.
  • Train your staff. The cybersecurity talent gap is already vast; introducing a new technology will only exacerbate the shortage. Take steps now to train your cyber teams in confidential computing.
  • Find your partners. No enterprise is an island. Rather than trying to re-invent the security wheel and implement confidential computing yourself, your best bet is to form partnerships with service providers and technology companies who can help you make the transition to confidential computing smooth and disruption-free.

A tried-and-true confidential computing solution

ARCA is a trusted OS with a hardware-based TEE that protects data in all its states – at rest, in transit, and in use. ARCA works in all environments including data centers, cloud environments, and edge technologies. It provides encrypted enclaves,  enabling a broader migration of data and applications on untrusted digital infrastructures. ARCA trusted OS provides the missing link in the chain of data protection.

Companies including Astrocast and METACO already trust ARCA to keep their most sensitive information encrypted and secure from unauthorized access.

Contact us now to find out how you can make use of cutting-edge security technology.

Latest Industry News