Confidential computing is an approach focused on helping to secure data in use. The efforts can enable encrypted data to be processed in memory while lowering the risk of exposing it to the rest of the system, thereby reducing the potential for sensitive data to be exposed while providing a higher degree of control and transparency for users.
At the core of confidential computing is an isolated, hardware-based Trusted Execution Environment (TEE) where trusted software can access confidential data. Data is only released to the TEE for decryption & processing when authorized by the owner's key. The TEE can be verified through a process called attestation, which helps assure users their TEE is genuine and correctly configured.
A trusted execution environment (TEE) is a secure area of a main processor. It protects code and data loaded inside with respect to confidentiality and integrity. Data integrity—prevents unauthorized entities from altering data when any entity outside the TEE processes data, Code integrity—the code in the TEE cannot be replaced or modified by unauthorized entities.
Attestation of a Trusted Execution Environment (TEE) is the dynamic measuring of the health of the isolated execution technology and is based on building a trust chain from the manufacturer to the last power cycle of the device.
Intel Trust Authority is a suite of trust and security services. It provides our customers assurance that their apps and data are protected on the platform of their choice, including multiple cloud, edge and on-premises environments.
In its first release, Intel Trust Authority takes Confidential Computing to the next level with a Zero Trust attestation SaaS that verifies the trustworthiness of compute assets at the network, edge, and in the cloud. Intel Trust Authority attests to the validity of Intel Confidential Computing environments, also known as Trusted Execution Environments (TEEs).
Get started with these steps:
- Contact Intel via www.intel.com/trustauthority or via the Azure Marketplace to subscribe to the service and obtain API keys.
- Download and integrate Intel Trust Authority agent into your workload.
- Request an Intel Confidential Computing (TEE) instance in the cloud.
- The attestation service verifies the TEE against customer defined policies.
- The workload executes in the cloud after Intel Trust Authority service provides an attestation verification token for the TEE.
Intel Trust Authority offers an operator-independent attestation service that helps provide end users confidence that the TEE provided by the CSP is trustworthy. End users can encrypt their application and not release the decryption key, nor decrypt it until the attestation token is received. End users can maintain their own KMS on-prem or depend on CSP provided key vaults such as Azure Key Vault to manage these encryption and decryption keys. Therefore, KMS is an integral part of the customer solution and Intel Trust Authority is designed to interoperate with it.
Intel followed its Security Development Lifecycle (SDL) when developing Intel Trust Authority. Before we deliver products to our customers, we apply rigorous testing and offensive research, scouring code for potential security vulnerabilities. But we don’t stop with our own assessment. We work with the best in the business—whether that’s a top university, a major technology vendor, or even a group of elite hackers to put our products to the test.
Intel Trust Authority has achieved ISO 27001:2022 certification. The Confidential Computing attestation service is committed to delivering best practices in security controls, information technology and cybersecurity to our clients and their customers. For more information: https://www.intel.com/content/www/us/en/quality/corporate-certifications/directory.html.