Project Amber Decoded
Code-named Project Amber, this upcoming service is an innovative approach to objective third-party attestation. It is a SaaS-based implementation of a trust authority that provides remote verification of the trustworthiness of a compute asset based on attestation and policy.
Initially, Project Amber will verify the trustworthiness of Intel trusted execution environments (TEEs), but the vision extends to much broader device verification, like IPUs, GPUs, platform roots of trust, and beyond. Project Amber is architected as a cloud-native microservice platform running on a managed Kubernetes service, with appropriate abstractions on different cloud infrastructure platforms, on-prem, and edge locations.
- Independent: Verification of trustworthiness by an independent authority provides increased assurances to users, a solid security foundation for confidential computing and enables new usages in AI, multi-party compute, and federated learning.
- Scalable Cloud-agnostic SaaS, multi-cloud workload support: Project Amber enables organizations to more securely scale and move workloads across a wider range of edge, on-premise, and cloud environments — all with better protection for in-use data and intellectual property.
- Turnkey: Project Amber liberates enterprises from the need to build and maintain a complex and expensive attestation system. This would enable them to focus on their core business.
Project Amber is Intel’s first step in creating a new multi-cloud, multi-TEE service for third-party attestation and will drive forward adoption of confidential computing for the broader industry.
The Amber 1.0 Pilot supports confidential compute workloads deployed as bare metal containers, virtual machines (VMs), and containers running in virtual machines using Intel TEEs. Coming soon in 2023, support will be extended to other non-Intel TEEs in market.
How it Works
- Customer subscribes to the service and obtains Project Amber service API keys.
- Customer downloads and integrates Project Amber Client Agent in their workload.
- Customer requests TEE instantiation in the cloud (such as Azure) as normal.
- Workload executes in the cloud after Project Amber service provides an attestation verification token for the TEE.