Sharing sensitive data for processing among ecosystem partners is a challenge. We continue to see enterprises grapple with security concerns associated with moving workloads to the cloud. That’s why Confidential Computing has garnered much interest. As conversations move from ‘whether’ to implement technology to ‘rather’ what are the capabilities, the user community is becoming more receptive to Confidential Computing and looking at leveraging the capability to protect data across the compute lifecycle. As use cases increase, the opportunities to innovate and leverage computing prowess have also evolved. It is not only about security but about data privacy and multiparty computing.
To get a perspective on the adoption and opportunities around Confidential Computing, Minu Sirsalewala, Editorial Consultant, CISO MAG, spoke with Dr. Nataraj Nagaratnam, IBM Fellow and CTO for Cloud Security, IBM. Dr. Nagaratnam deliberated the opportunities around Confidential Computing and the next disruptive technology.
As an IBM Fellow Dr. Nagaratnam is the CTO for Cloud Security with expanded responsibility to lead the security and compliance management, including extensions of these capabilities into hybrid cloud. He oversees the technical architecture for key components of IBM Cloud for Financial Services and the IBM Confidential Computing roadmap. Dr. Nagaratnam is a recognized security expert across the industry and has consistently demonstrated vision and thought leadership, coupled with an ability to execute and implement new technology and solutions for both IBM and clients. He has made sustained security contributions across IBM’s cloud, security and middleware offerings, including most recently the Confidential Computing-based services in IBM Cloud, which serve as the basis for IBM Cloud for Financial Services and IBM’s work in regulated industries. His work has established data security and data privacy credibility for IBM Could and extended his prior contributions to the IBMid, IBM Security, Tivoli and WebSphere businesses. What excites him every day is not only solving real client problems but also nurturing technical talent. He sees mentoring and helping others to build their leadership skills as a key part of his role. One such notable instance is the assignment he had at India Software Labs and the impact he has made in building the leadership pipeline.
Edited excerpts of the interview follow:
Confidential Computing is all about protecting data in use. Data is stored in the trusted execution environment (TEE) or enclaves and is run on server platforms that could be vulnerable to side-channel and timing attacks. How can Confidential Computing address this risk?
From a technology perspective, Confidential Computing as an enabling technology is about data in use. But the way that we have been doing this at IBM is to leverage the technology to address in a holistic approach, including data at rest, data in transit, data in use.
Confidential Computing is a platform that offers a set of services that customers can consume directly in a secured environment. As a person who has been in the security industry and seen the security landscape evolve, there’s nothing like ‘the person’ is fully secure. Hardware, as compared to software, was not a part of the security hygiene. The vulnerabilities or bugs in hardware had not been thought of the way the software sector was researched and reported. But now, with more hardware-based technology like cognitive computing, the perspective has changed and hardware security is also becoming mainstream. Suddenly the underlying vulnerabilities are also getting attention. This is good news for the industry as more Confidential Computing becomes mainstream and addresses use cases the security posture improves.
Industry leaders at it IBM or Intel or AMD and other large players are working in a unified effort to leverage their expertise and focus on security research to have industry standards in place. They are all working as a consortium to address the challenges and find solutions to the problem. A common challenge is that a particular issue on a given vendor platform may not exist on another platform and the risk does not get addressed. But as an industry, we are taking the findings and learnings from all platforms and are incorporating them to make a common standard. The partners are now putting in a collaborative effort and identifying the value and promise of Confidential Computing for data protection and data privacy and moving forward.
What use cases work best for a Confidential Computing environment?
All use cases are about data protection and privacy of data, both from a risk perspective, and regulatory compliance.
The first set of use cases that we are seeing is, as customers move to the cloud; given the shared responsibility model between them and a cloud provider, they want to have much more of technical control over how their data is accessed.
As cloud providers, customers are questioning them if they have access to their data, their key and more importantly asking for evidence to prove that their data cannot be accessed. The cloud provider is extending that assurance of privacy in a public cloud environment.
For example, let’s look at some of our customers like Daimler – automotive industry in Europe and Bank of America – financial services industry as two use cases. Both these customers deal with confidential and sensitive data and need the assurance, not just operational but technical assurance that we cannot access the keys or the data. So in these use cases, we provide capabilities in platforms about key management systems, what we call ‘keep your own key’, where we provide assurance that it is theirs. Thereby providing them the security of a private cloud, in a public cloud setting. This enables our customers to achieve the level of security and protection like key management and hardware security modules which they practiced on-premise—to be controlled in the public cloud. This has truly opened up the complete use cases. And not just that, within a Confidential Computing environment, where encryption at rest is protected and keep your own key is protected, the security is so stringent that even our operators cannot have access to the system. So in a way, what we are doing is leveraging the use case, it’s about mitigating the risk of privileged user access into the system.
Another use case is of fine-grained control PII (personally identifiable information) data when you want to encrypt-decrypt it. Sensitive personal information like Aadhar numbers or social security numbers in the U.S. needs to be encrypted at the application level. So what we are working on and leveraging is that computers not only keep your own key but also ensure the databases can be encrypted and stored before it leaves the application server. When we look at these highly sensitive data, there are patterns there, especially in the world of Hybrid Cloud and AI. This is a set of use cases coming up called secure multi-party computing.
To explain, take the retail industry, a retailer is seeing organized crime and experiencing a spate of robberies at the stores. They have data they’re analyzing and on talking to their peers and another retail chain, it is known that they’re also facing the same problem. They apply machine learning to identify these patterns so that they can better protect and investigate against these organized crimes. In order to do that, they need to share data that is very sensitive. The data needs to be shared in a way it’s all secure, protected and encrypted. Here they leverage computing concepts like IBM’s hyper-protect services on the IBM cloud. What it does is, take encrypted data from both retailers one and two, put it in an enclave, process the data-which the machine learning algorithm runs within a computing environment and share the findings. The data is computed without being accessed and this has opened up amazing opportunities for people to collaborate and share data. There is a spectrum of use cases emerging as we have consumption computing becoming mainstream.
A full version of this interview will appear in the October 2021 issue of CISO MAG. Subscribe now!