Powering Confidential Computing with Intel® SGX

Key take-aways:

  • With the constant demands placed on data security today, Confidential Computing is becoming an important part of leading organizations’ defense-in-depth cybersecurity strategy.

  • Confidential Computing powered by Intel® Software Guard Extensions (Intel SGX), provides a trusted execution environment to help protect your data.

  • A wide variety of industries can benefit from Confidential Computing, especially those with strong regulatory and compliance requirements.

  • Intel SGX is continuously hardened over time, with deployments across all major CSPs including IBM, Alibaba, Baidu, and Microsoft.

author-image

By

Today, more than ever, protecting company data is mission critical. As more businesses and shopping move online, we’ve seen a significant upward tick in cybercrime. In just the first half of 2020 alone, there were 36 billion sensitive data records exposed.1 Criminals continue to target both individuals and organizations, trying to access credit card data, healthcare records, and other personal information. We believe one way to combat this trend is by implementing a ‘defense in depth’ strategy, rooted in the silicon. Confidential Computing powered by Intel® Software Guard Extensions (Intel SGX), provides an added layer called a trusted execution environment to help protect your most valuable asset — your data.

As every IT admin knows, data is often sequestered in siloes due to privacy and security concerns, and there isn’t an easy way for organizations to combine that data and pull business insights from it. Intel SGX provides encrypted enclaves that serve as a secure alternative to data siloes, not only within individual organizations, but also when working with external groups — designed to keep from — exposing data to anyone not authorized to access it.

Intel has been helping industry leaders to implement Confidential Computing across a broad range of industries, including financial services, healthcare, and the public sector. We’re working with data such as banking information, health records, credit card data, passwords, and keys across an ever-growing number of devices and endpoints.

What Is Confidential Computing?

Until recently, data security has focused on protecting data at rest (in storage) and in transit (while moving between locations). Confidential Computing, powered by Intel SGX, goes a step further, helping to ensure data is also protected while it is being actively processed in memory. This is possible thanks to the creation of a hardware-based Trusted Execution Environment (TEE). Not only can all critical data be stored inside the TEE, but so can the applications and algorithms that access and process that data.

A Trusted Compute Base (TCB) consists of the set of hardware, software, and firmware that must be trusted in order to ensure the confidentiality and integrity of critical data. Intel SGX narrows that trust boundary to only include the contents of the enclave and the processor itself, creating the smallest attack surface within the system to better protect data. That’s especially important in today’s cloud-centric world. Even the cloud software stack and cloud admins are excluded from entry into the TEE. That means many workloads that previously were judged too sensitive to be uploaded to the cloud due to security or regulatory compliance concerns can now take advantage of the cost and accessibility benefits of cloud services.

Latest Examples of Confidential Computing

In addition to implementations in the cloud, Confidential Computing enables new use cases that were simply not possible or practical previously. For instance, in many sectors where strict data security is paramount, confidentiality considerations have prevented developers from implementing solutions using enterprise blockchain technologies, since those require integrity protections that typically violate payload privacy. But with Confidential Computing, they can now do so. In addition, existing apps can benefit developers. They can create secure containers within the TEE and upload existing apps into that container without redeveloping, where they can benefit from similar levels of security as other applications leveraging enclaves. Now customers no longer need to choose between security and workload efficiency.

Another important use of Confidential Computing involves federated learning: The ability for separate organizations to share data or processing while at the same time knowing that visibility into their data will remain theirs and theirs alone. Federated learning provides the opportunity for companies to collaborate — even if they are competitors. For instance, two pharmaceutical companies working on vaccine development could use Confidential Computing techniques to combine their two separate research datasets into one aggregate dataset within a secure enclave. Once the data is in the enclave, even the owners of the datasets can’t see the contents inside. But AI applications and algorithms can still access this new, combined dataset, use the data in it for AI training, run inference operations, and generate new conclusions that would have been impossible previously. This type of federated learning allows separate institutions to collaborate and benefit from models with improved outcomes — while at the same time remaining confident that their data is private.

A wide variety of industries can benefit from Confidential Computing, especially those with strong regulatory and compliance requirements.

Healthcare: Confidential Computing can enable medical institutions to work together to improve patient care. For instance, they can significantly improve treatment models, as in the case of radiologists who annotate brain MRI scans to detect and localize tumors. Scans provide the necessary data to train deep learning models to assist in this task. Federated learning now provides the ability to capture expertise from radiologists around the world in a single AI model, providing invaluable assistance to clinicians and faster diagnosis and treatment for patients.

Finance: Banks, brokerages, and other financial organizations can also benefit from Confidential Computing. For instance, these institutions can collaborate on anti-money laundering efforts by partnering to create a governance network where they share transactional data. They can upload data to a centralized node where AI algorithms provide risk-based assessments, allowing organizations to more accurately spot high-risk individuals — without sharing transaction history data.

Government: Public sector organizations, who often work under strict confidentiality requirements, can use Confidential Computing to solve problems that were extremely difficult (or impossible) before. Different governmental agencies working in related fields can better cooperate to serve the public good. For instance, the U.S. Center for Disease Control and the U.S. Food and Drug Administration could combine confidential datasets dealing with vaccine development and generate results that neither agency could have arrived at alone — with reduced risk of exposure of sensitive data.

Summary

With the constant demands placed on data security today, Confidential Computing is sure to be an increasingly important part of leading organizations’ defense-in-depth cybersecurity strategy. Given the critical nature of the challenge, once organizations have experienced the security and benefits of Confidential Computing, they will find more and more uses for it. With hundreds of research studies under its belt, Intel SGX is continuously hardened over time, with deployments across all major CSPs including IBM, Alibaba, Baidu, and Microsoft. It’s easy to see that having the most robust confidential computing solution in the market, deployed by hundreds of the most security conscious enterprises, is a smart choice.

Product and Performance Information

1Source 36 billion personal records exposed by hacks in 2020 so far, by Keumars Afifi-Sabet -29 Oct 2020 Performance varies by use, configuration, and other factors. Learn more at www.Intel.com/PerformanceIndex.Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available updates. See sources cited for configuration details. No product or component can be absolutely secure.