Confidentiality guaranteed: How Confidential Computing works in the cloud 

In this article you will read about,

• how confidential computing ensures confidentiality,
• what the possible applications are,
• and how confidential computing replaces expensive hardware security modules.

Confidential computing is a technology that ensures the security and confidentiality of sensitive data processing in cloud environments. Confidential computing adds another security component that, among other things, effectively prevents the provider from gaining access to the data. This is a necessary security standard, especially in regulated environments such as the healthcare industry. Health insurance companies, for example, use the technology to implement secure digital identities for their customers.

Companies that store sensitive personal data in the cloud use confidential computing to ensure that this data is protected even during processing. By using technologies such as "secure enclaves", data can be encrypted and processed in isolated areas of the processor, preventing the cloud provider from accessing the data themselves. An enclave is comparable to a vault, to which only the user has access, but not the cloud provider or unauthorized third parties. With confidential computing, encryption options are supplemented by runtime encryption. This includes the software running in the main memory (RAM) and the data processed in the processor. The basis for this are processors that are able to use Intel's Software Guard Extension (SGX).

Using encrypted databases

Encrypted databases are part of everyday business in many companies. With confidential computing, data is also encrypted during processing. This ensures that data cannot be viewed by unauthorized persons, but only by the defined user, even during processing and evaluation. Thanks to "in use" encryption, there is also no need for key rotation or double encryption, which simplifies processes.

Enabling cloud AI and machine learning without insights

Advanced AI and machine learning models need large amounts of data for their training. This sometimes involves the use of personal data or intellectual property, depending on the use case. However, the company providing the data to the trainer wants to be sure that the data cannot be leaked or accessed by that party. The use of confidential computing can make this possible. The same also applies to analyses, for example, in which data from various private sources flow together.

Replacement of expensive hardware security modules

In the past, IT security relied on the use of hardware security modules (HSM) for storing cryptographic keys. With confidential computing, this comparatively expensive method can be replaced. Instead of HSMs, software-based enclaves are now responsible for storing the keys. This is more cost-effective due to the free scalability, since a high number of HSMs can be mapped on an SGX hardware.

Use case: digital identities in the healthcare industry

German health insurance companies, as operators of an identification and authentication solution for their patients and their data, are required by law to have a technical solution that makes it impossible to access all personal medical data. Access is reserved solely for insured persons and those legitimized by them. Patients authenticate themselves with their digital identity, for example, to view their patient file or use their e-prescriptions.

But encrypting the stored data is not enough! During processing, the data must be decrypted – which would theoretically give a provider access to the clear data. Supervisory authorities consider the risk of this to be too great. They demand technical measures that prevent just that. Confidential computing makes this possible for health insurance companies and their patients.

T-Systems meets the high security requirements of regulated industries and their strict legal requirements with a tuned solution: T-Systems provides the "Confidential Execution Environment" for confidential computing in the Open Telekom Cloud – on physically isolated servers. The Open Telekom Cloud has a pool of Intel processors with which Intel's Software Guard Extension (SGX) can be operated. The Open Telekom Cloud thus offers a wide range of application options in the cloud and enables companies in many industries to securely store, process and exchange the most sensitive data. The integration of this technology strengthens trust in the cloud computing infrastructure and offers the bundled benefits of scalability, compliance and cost efficiency.