The business-driven explosion of demand for cloud-based services has made the need to provide highly secure cloud computing more urgent. Many businesses that work with sensitive data view the transition to the cloud with trepidation, which is not entirely without good reason.
For some time, the public cloud has actually been able to offer more protection than traditional on-site environments. Dedicated expert teams ensure that cloud servers, for example, maintain an optimal security posture against external threats.
But that level of security comes at a price. Those same extended teams increase insider exposure to private data—which leads to a higher risk of an insider data breach and can complicate compliance efforts.
Recent developments in data security technology—in chips, software, and the cloud infrastructure—are changing that. New security capabilities transform the public cloud into a trusted data-secure environment by effectively locking data access to insiders or external attackers
This eliminates the last security roadblock to full cloud migration for even the most sensitive data and applications. Leveraging this confidential cloud, organizations for the first time can now exclusively own their data, workloads, and applications—wherever they work.
Even some of the most security-conscious organizations in the world are now seeing the confidential cloud as the safest option for the storage, processing, and management of their data. The attraction to the confidential cloud is based on the promise of exclusive data control and hardware-grade minimization of data risk.
What is the confidential cloud?
Over the last year, there’s been a great deal of talk about confidential computing—including secure enclaves or TEEs (Trusted Execution Environments). These are now available in servers built on chips from Amazon Nitro Enclaves, Intel SGX (Software Guard Extensions), and AMD SEV (Secure Encrypted Virtualization).
The confidential cloud employs these technologies to establish a secure and impenetrable cryptographic perimeter that seamlessly extends from a hardware root of trust to protect data in use, at rest, and in motion.
Unlike the traditional layered security approaches that place barriers between data and bad actors or standalone encryption for storage or communication, the confidential cloud delivers strong data protection that is inseparable from the data itself. This in turn eliminates the need for traditional perimeter security layers, while putting data owners in exclusive control wherever their data is stored, transmitted, or used.
The resulting confidential cloud is similar in concept to network micro-segmentation and resource virtualization. But instead of isolating and controlling only network communications, the confidential cloud extends data encryption and resource isolation across all of the fundamental elements of IT, compute, storage, and communications.
The confidential cloud brings together everything needed to confidentially run any workload in a trusted environment isolated from CloudOps insiders, malicious software, or would-be attackers.
This also means workloads remain secure even in the event a server is physically compromised. Even an attacker with root-access to a server would be effectively prevented from seeing data or gaining access to data and application—affording a level of security traditional micro-segmentation can’t today.
Safer than on-site
A strong argument can already be made that reputable major cloud providers deliver both the resources and focus needed to secure a vast majority of internal IT infrastructure. But data-open clouds bring the risk of greater data exposure to insiders, as well as the inability to lock down a trusted environment under the total control of the CISO.
Data exposure has manifested itself in some of the most publicized breaches to date. CapitalOne became the poster child for insider data exposure in the cloud when its data was breached by an AWS employee.
Implementing a confidential cloud eliminates the potential for cloud insiders to have exposure to data, closing the data attack surface that is otherwise left exposed at the cloud provider. Data controls extend wherever data might otherwise be exposed—including in storage, over the network, and in multiple clouds.
Bring your own confidential cloud
OEM software and SaaS vendors are already building confidential clouds today to protect their applications. Redis recently announced a secure version of their high-performance software to run over multiple secure computing environments—credibly creating what may be the world’s most secure commercial database.
Azure confidential computing has partnered with confidential cloud vendors to enable the secure formation and execution of any workload over existing infrastructure without any modification of the underlying application. Support for similarly transparent multi-cloud Kubernetes support isn’t far behind.
Taking advantage of confidential computing previously required code modifications to run applications. This is because initial confidential computing technologies focused on protecting memory. Applications had to be modified to run selected sensitive code in protected memory segments. The need to rewrite and recompile applications was a heavy lift for most companies—and isn’t even possible in the case of legacy or off the shelf packages.
A new ”lift and shift” implementation path enables enterprises to create, test, and deploy sensitive data workloads within a protected confidential cloud without modifying or recompiling the application. Nearly all cloud providers, including Amazon, Azure, and Google, offer confidential cloud-enabling infrastructure today.
Confidential cloud software allows applications and even whole environments to work within a confidential cloud formation with no modification. Added layers of software abstraction and virtualization have the advantage of making the confidential cloud itself agnostic to the numerous proprietary enclave technologies and versions developed by Intel, AMD, Amazon, and ARM.
A new generation of security vendors has simplified the process to implement private test and demo environments for prospective customers of the public cloud. This speeds the process to both enclave private applications and generate full-blown confidential cloud infrastructure.
Confidential computing is good, but confidential cloud is better
Data security is the last barrier to migrating applications to the cloud and consolidating IT resources. The resolution of cloud security flaws took a great step in migrating all but the most sensitive application and data. Eliminating data vulnerability opens a broad new opportunity for businesses to simply deploy a new and intrinsically secure hosted IT infrastructure built upon the confidential cloud.