Middle East organisations eye confidential computing for cloud security

As more organisations across the Middle East move onto public and hybrid cloud services while struggling to comply with data privacy regulations, information security becomes even more important. A security technique called confidential computing can help.

Traditionally, businesses have relied on cloud providers not to access their sensitive data, which is known as operational assurance. However, confidential computing is designed to ensure that data is secured at the hardware level so that providers are simply incapable of accessing data. This is known as technical assurance.

Various providers currently offer confidential computing technology in the region including, but not limited to, IBM, Microsoft, Intel and Fortanix — all members of the Confidential Computing Consortium (CCC), a Linux Foundation community project. Their offerings add a new layer to data security, potentially removing the remaining barrier to cloud computing for highly regulated businesses in the Middle East.

What is confidential computing?

Confidential computing is a security architecture designed to protect data when it is being processed in memory, by using hardware-based techniques complemented by software SDKs that allow developers to protect select code and even entire applications.

“Up to now encryption has only been possible when data is at rest (in storage) or in transit (moving over a network connection),” explains Sabine Holl, vice president of technical sales and CTO, IBM Middle East and Africa.  “This hardware-based technology eliminates the remaining security vulnerability by protecting data in use by executing code in a hardware-based trusted execution environment (TEE), also called a secure enclave.”

With the region dealing with a huge increase in cyberattacks since the pandemic, many of which launched against data processed in memory, confidential computing could help mitigate these attacks.

“Take the Triton attack on Petro Rabigh a few years ago, which took the Saudi Arabian petrochemical plant offline,” says Dave Thaler, chair of the CCC’s Technical Advisory Council and a Microsoft software architect. “Confidential computing techniques can be used to mitigate or prevent these styles of attacks because they prevent bad code from accessing high security operations data.”

Confidential computing for multiparty projects

Benefits don’t end there, however. Steve Riley, a senior research analyst at Gartner adds that as well as enabling deployment of public cloud workloads that are immune to tampering by providers, confidential computing can also be useful for projects where multiple parties, who might not necessarily trust each other, need to process sensitive data in a way that all parties benefit from the common results.

Still a relatively new technology, confidential computing is starting to attract interest in the region, with some organisations beginning their research efforts and trialling its use.

 According to David Greene, head of sales and marketing at Fortanix and head of the CCC’s Outreach Committee, Gulf governments are leading the way when it comes to confidential computing in the region.

Governments lead the way

“I’ve seen some of the strongest initial projects in the Middle East come from government-sponsored agencies. My company has three projects currently underway in the Gulf and they’re all with government entities, focusing on confidential computing for data security and protection,” he notes.

“As part of advancing the infrastructure and technical foundation of their economies, I think some of the government agencies have been pretty forward-looking in terms of thinking about how they apply privacy control, encryption and data protection technologies.”

More generally, however, confidential computing can benefit companies working in a variety of regulated industries, including defence, healthcare and financial services.

For example, IBM has been working closely with several MEA fintech and health technology start-ups including UAE-based fintech Encore Theme, to develop systems that will keep their sensitive data highly secure.

It may be early days, but developments so far indicate that confidential computing is here to stay. Greene, in fact, expects it to one day become just as common as that of data encryption at rest and in transit.

“A few years back secure internet communication, HTTPS, was a big deal. Now it’s everywhere,” Greene notes. “The same with SSL; first we focused on credit card transactions then at some point said, why not secure everything? The view of the CCC is that confidential computing has the same potential. We have the infrastructure and the tools – in the end there’ll be no reason not to protect data in this way.”

How to implement confidential computing ­

If confidential computing has piqued your interest, a good place to start is the CCC website. The consortium is focused on accelerating the adoption of TEE technologies and standards and has published two informative white papers: one introducing the technology to C-suite executives and another providing a deep dive into the technology.  

Then, if you want to take your first steps, Riley recommends IT executives begin by meeting with cloud application developers and cloud security architects to learning more about the options available and to experiment with the technology.

“Design, or duplicate, a sample application using one of the available abstraction mechanisms and deploy it into an instance with a secure enclave. Perform processing on datasets that represents the kinds and amounts of sensitive information you expect in real production workloads to determine whether confidential computing affects application performance, and seek ways to minimise negative results.

“Be mindful of the potential performance impacts and extra costs,” he adds, however. “IaaS confidential computing instances cost more to run than the standard ones.