Confidential Computing – Safe from prying eyes
Many companies are now putting the cloud first in their IT strategy, particularly in terms of using public cloud services. Whether that makes sense or not is open to judgment, but the trend looks like it is here to stay. To date, however, there have been a few no-go areas for applications in the public cloud, especially in Germany, which has long championed data protection and privacy laws. Red flags have often been raised against cloud services in companies handling particularly sensitive data such as in the financial sector or contractors for public authorities. This is because although encryption is seen as the ultimate solution to cloud security and can be applied to transport routes in the cloud (in-transit) or to mass storage (at-rest), it cannot secure data during processing. Now the situation has changed. All major hyperscalers have been offering various processing encryption measures for about a year, under the name of confidential computing which is designed to protect data during processing and even prevent the execution of malicious code in some cases. With a suitable security concept in place, cloud providers could now not even access customer data at any time, even if they or a government agency wanted them to.
Digging deeper, confidential computing can have several different meanings depending on the implementation. Often, hardware security modules (HSM) are already described as confidential computing. However, an HSM primarily secures secrets, for example keys for cryptographic procedures in specially protected hardware. An HSM is very often part of confidential computing, but it does not stop code from being inspected or protect data during processing. A further concept is homomorphic encryption. It can be used to process data in an encrypted state meaning that data is even hidden from the CPU. However, this only ensures confidentiality, rather than the integrity of data and code. Real confidential computing can already do both jobs well. Microsoft already started in 2017 based on Intel processor technology: Software Guard Extensions (SGX). SGX uses a sealed area within the CPU known as an enclave to execute code and data. The enclave is a Trusted Execution Environment (TEA) that is protected from all other processes, even with root privilege.
The Confidential Computing Consortium (CCC) provides general definitions for a TEA. A TEA should ensure data integrity, data confidentiality and code integrity. The SGX enclaves ensure that only authorized data are processed (confidentiality) and only released code is executed (integrity). However, there is no standard for enclaves and there are already several frameworks for developing enclave applications. Google uses Asylo while Microsoft employs OpenEnclave.
The SGX enclave only executes code authorized by a service known as an attestation. SGX therefore meets the requirement of maintaining both confidentiality and integrity. IBM also uses SGX as the fundamental technology for confidential computing in its cloud services. It does however, come with one disadvantage. Existing applications will not run on SGX-enabled processors straight away. They must be adapted specifically so that the data concept and algorithms use SGX. Alternatively, meta-applications like Anjuna place a kind of shell around the target application. However, they do not work on all operating systems and with all target applications out-of-the-box, usually further customization is required.
Like Intel, AMD has built confidential computing technology into its processors. It is called Secure Encrypted Virtualization (SEV) and offers simpler implementation and fewer performance losses compared to SGX. However, it cannot guarantee the integrity of the memory and does not protect the code from the owner of the computing platform, which SGX accomplishes through the attestation construct. Among the major hyperscalers, Google Cloud Computing (GCP) uses AMD's SEV. An extension of the concept, Secure Nested Paging (SEV-SNP) also masters integrity protection, but is currently not offered by any hyperscalers.
Amazon approaches confidential computing at AWS without any processor-based protection measures. Its Nitro enclaves are isolated VMs that protect the EC2 instances they are docked to. They inherit part of the CPU and RAM resources from the VM and can execute confidential code securely. The attestation is guaranteed by the Nitro Hypervisor and is integrated into the AWS Key Management Service. In terms of security level, Nitro has less to offer than a SGX enclave, for which Nitro can be used without changes to the application. Google also promises a similar feature with its Confidential VMs based on the second generation of AMD's EPYC processors with SEV. The memory is protected by a VM-dedicated key. The CPU generates the key during the VM setup and manages it independently in a protected memory area within the CPU. Neither Google nor other VMs on the same host can access data in the VM. These confidential VMs from Google are based on the Shielded VMs, which are also hardened extensively and protected against attacks such as root and boot kits.
All public cloud users have the opportunity to boost their security by taking advantage of these new options. However, only SGX with specially developed applications or a meta-application really offers complete protection from unauthorized access. However, it’s important to bear in mind the extra effort is likely worthwhile if the stakes are high. Unfortunately, confidential computing measures also have their disadvantages. Depending on the technology and hyperscaler, performance losses are estimated as between 1 and 6 percent. The attestation, if it is performed by a processor manufacturer or another party, is also an attack vector. In addition, there are first proof of concepts that malware that is specifically executed in an enclave is completely invisible to all other processes such as anti-malware software. Finally, SGX has proven to be vulnerable to the Intel Spectre bug. If the enclaves really contain the organization’s crown jewels, successful side-channel attacks are the last thing you want to experience.