Confidential Computing

Confidential Computing (CC) is now available on the Open Telekom Cloud. This highly secure computing option allows companies to meet even the most stringent security requirements, particularly in regulated industries. The Open Telekom Cloud thus continues on its path of providing the safest European cloud by underscoring its focus on security, privacy, and compliance.

Why Confidential Computing?

Security in the cloud remains a widely debated topic. Many companies rely on encryption for their security concepts, which has long been available in public clouds. For example, data at rest encryption in object storage or block storage (OBS/EVS encryption) and data in transit encryption within the cloud or over public networks are well-established practices. However, for processing, data needs to be decrypted, potentially exposing it to cloud providers or unauthorized individuals. This has led to sensitive discussions in light of the Privacy Shields and Europe's pursuit of data sovereignty.

Regulatory authorities in sectors such as regulated industries take extra precautions and require additional technical security measures from companies operating sensitive data or workloads in public clouds to enhance the level of data processing security.

What is Confidential Computing?

This is where Confidential Computing comes into play. Confidential Computing ensures that sensitive data/workloads can be processed in a specially protected and encrypted environment called an enclave. An enclave can be compared to a vault/safe deposit box in the cloud, accessible only to the user and not to the cloud provider or unauthorized third parties. Encryption at rest and in transit are complemented by encryption in use, which covers the software running in the main memory (RAM) and the processed data.

Ideally, this enclave, known as the Confidential Execution Environment, is deployed on a physically isolated server. The hardware used must be Confidential Computing capable. The Open Telekom Cloud has introduced a pool of Intel processors capable of utilizing Intel Software Guard Extension (SGX), the foundation for Confidential Computing.

Chart on "How Confidential Computing works"

How to utilize Confidential Computing on the Open Telekom Cloud

Companies looking to utilize Confidential Computing can select a preconfigured Bare Metal Server “physical.i7n.28xlarge.4” on the console. This server is also available on-demand in elastic mode. Additionally, a specialized partner of the Open Telekom Cloud offers other services in this area. This partner provides preconfigured solutions for Redis, Maria DB, Apache Spark and Zookeeper, TensorFlow, and PyTorch, among others.

Furthermore, starting in autumn 2023, the Open Telekom Cloud plans to make Confidential Computing available in its container services.

Important: The applications used must also be SGX-ready, meaning they are prepared for Confidential Computing processing.

Examples of Confidential Computing use cases

Confidential Computing not only protects sensitive data in accordance with regulations and meets the requirement for user data confidentiality but also safeguards intellectual property that holds high value for respective companies. This includes proprietary business logic, analysis functions, or know-how in the field of data processing for machine learning, for example. Confidential Computing can also be used for secure collaboration between partners in the cloud, known as “data clean rooms.” Encrypted data from various sources can be combined to perform confidential analyses, such as in combating money laundering or in clinical research. Additionally, collaboration platforms for file sharing, calendar invitations, emails, chat messages, or video conferencing systems can be implemented using Confidential Computing to protect personal data.

Key management modernization

Hardware Security Modules (HSMs) have become established for many processes within IT security, including key storage. Through Confidential Computing, this expensive technology can be replaced. Instead of hardware modules, (software-based) enclaves are used for key storage. This approach enables cost-effective scalability, as millions of individual HSMs can be realized on SGX hardware. It also allows for easy adaptation or updates of (even non-standard) security algorithms for the post-quantum era.

Encrypted databases

Encrypting data in databases is common practice. However, data usually needs to be decrypted for processing. With Confidential Computing, the processing of stored data can also be encrypted. This ensures that data cannot be accessed during processing and evaluation by databases. Additionally, key management is simplified as key rotation or double encryption becomes obsolete due to encryption in use.

Confidential development environments in the cloud

Applications are increasingly being developed in co-creation or collaboration scenarios. In these cases, it is important to protect contributors' intellectual property or sensitive test data. Confidential Computing offers the ability to encrypt development environments, preventing partners from accessing data and application components.

Do you have any questions?

Do you wish to learn more about Confidential Computing on the Open Telekom Cloud? I will gladly answer your questions during a free consultation!
Senior Product Manager
Christian Boelle

Salutation *

Ms. / Mrs.
Mr.
Mx.

Name *

Surname *

E-Mail *

Please enter your e-mail address correctly.

Company name

Country Dialing Code

Phone number

Your phone number seems to be incorrect. Please note it must contain at least four digits. Zeros at the beginning are not considered.

Your phone number seems to be incorrect. Please note that it must have a maximum of 26 characters.

Your phone number appears to be incorrect. Please note that only numbers from 0 to 9 can be used.

Your message

Please solve the security question. *

I consent to the processing of the data I have provided for promotional purposes in order to receive information/offers about products and services of T-Systems International GmbH and Telekom Deutschland GmbH directly by e-mail, letter, telephone, SMS or MMS. Within e-mails/newsletters, my personal usage behavior is registered and evaluated by T-Systems International GmbH and Telekom Deutschland GmbH so that new content and consulting can be better aligned with my personal interests. The consent I have already given remains valid. I can revoke my consent at any time by sending an e-mail to t-systems.marketing@t-systems.com. I have taken note of the information on the right of revocation and the privacy policy (www.t-systems.com/privacy-notice and https://www.telekom.de/datenschutzhinweise). * *

* required fields

What we mean by security

Our data centers

Find out more

Zero Outage

Find out more