Encryption is the most effective method to protect sensitive data. The encryption process uses algorithms to encrypt data to make it readable only by those with the right key needed to decrypt it. The high-tech industry continues to advance encryption technology that safeguards data in static -- such as information that is stored on a drive for instance -- as well as data in motion information transferred across the network.
Data is being utilized. How can data be encrypted when it is being stored in memory on computers? Confidential computing is a major industry-wide initiative designed to safeguard data at all levels and on the cloud.
Building on the industry's innovations
AWS Nitro secure cloud computing is enabled by hardware technology that has the ability to reserve the CPU's memory as a secure enclave. It secures the memory inside the enclave by using an encryption key that is specific to the CPU and the application.
An agency can use such an approach to secure highly sensitive data as well as application code stored within the enclosure. The enclave will only be able to be able to decrypt data. The data is secure even when it's being utilized for analytics or database queries. Even if hackers gained access to the system's root, they wouldn't be able to read the data.
The technology includes an attestation function so that an organization can verify to other parties that the data is in an enclosure. An organization that manages health data, for example could be able to assure health care providers that their information will remain protected.
The size of the enclave was limited by earlier versions of this technology. The most recent generation of processors allows for servers to have as much as 1TB of storage enclave. It allows organizations to install an entire database, application or transaction server inside the enclosure.
Cloud data protection with confidence
This technology could change agencies' approach to security in the cloud. Cloud computing isn't the same as traditional cloud computing. Users must depend on the cloud provider in complete confidence. While cloud providers may provide a guarantee that data will be protected when it is in storage, agencies may be taking all steps to ensure data is safe in motion. Agencies should only hope their data is secure during its use.
With Azure confidential computing agencies can are assured that their data is secure. This is a major move, especially for federal agencies, which are heavily controlled. Now they can protect information that is currently in use, even if it's hosted by a cloud provider. The data will be secure throughout its entire lifecycle, whether at stationary, at rest, and when in use.
Government computers are confidential
Cloud providers are working with the top hardware makers to provide confidential computing for federal agencies. Cloud services built on virtual machines will be made available to agencies. This technology lets them choose cloud services that will protect their data. These VMs can be verified by using authentication functions.
Already in preview, confidential computing VMs for federal, local and state governments as well as their partners in the U.S. cloud region are in the cloud. This technology enables agencies to create enclave-based apps to safeguard the data stored within a cloud dedicated to is compliant with the security and compliance requirements of the government.
Of course, federal agencies often manage clouds in classified, air-gapped environments that are not connected to the internet. For those situations, hardware and cloud providers have partnered to develop tools that enable confidential-computing provisioning, updates and attestation without the need for an internet connection.
Industry and government gain
Industry is coming together to tackle a myriad of cloud security issues through the confidential cloud software Consortium. The CCC is a project of the Linux Foundation, is an open-source community whose goal is to promote the use of secure computing.