Confidential Computing overview

Editor's Notes

• #3: Use cases from IBM CIO Office perspective: Risk analysis and business case approach (expected cost of a breach as costs are shifting meaning more breaches and more expensive breaches, vs. expected cost of security) IT use cases where there is particular relevance Increasing scope of encryption when workloads are migrated to private cloud Hybrid workloads where sensitive data moves across cloud and on-prem Support increased security for region-specific data-sensitive workloads in the cloud AI and ML use cases; and data in a Z environment
• #5: The next frontier of data protection: When we talk about end to end data protection, we are talking about the three pillars of data security. Data at rest: Files stored on servers, records in databases, etc. Protecting data at rest means using methods such as encryption, anti virus, and firewalls so a malicious actor can’t access information inactive data being stored on a device or network.  Data in transit: Information as it moves between servers and applications such as emails and instant messaging. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving the data via encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) transactions in and out of a server. There are technologies that exist today on the LinuxONE III machine that protect these two states of data and code such as Pervasive Encryption for general LinuxONE workloads, hardware-accelerated technologies and Hyper Protect services. Additional (CPACF coprocessor - to perform the encryption and decryption, Crypto Express Card – to store and present the master key used to encrypt and decrypt the data) However, what is lacking today is protecting the third pillar of data security: Data in use. Data in use: Data in use is data that is being processed by a running application or being accessed by a user. Ex. various applications such as Banking Software, Java Applications, Databases that are all running and may have open sensitive files.  Confidential computing: So, how do we protect data while it is in use? Tech companies are adopting a new security model that they’re calling confidential computing that uses hardware-based techniques (emphasize) to protect data in use. The key is controlling access to the data as tightly as possible and to provide a way to securely process unencrypted data. Keep in mind, the protection of these data states are complementary and do not supersede or replace the other existing protections. So to recap - today, data is often protected at rest and in transit, but not while in use by applications. And, in order to implement technical assurance, end to end protection must be achieved. As a result, organizations with applications that handle sensitive data such as financial transactions, or health information are often unable to take advantage of the benefits of cloud and multi-party computing.
• #8: The IBM Secure Service Container architecture exploits the Crypto Express6S HSMs so that institutions can run Docker containerized applications and micro-services in an industry unique, FIPS 197 compliant, trusted, cryptographically isolated execution environment with up to 16TB of real memory available.
• #9: The next frontier of data protection: When we talk about end to end data protection, we are talking about the three pillars of data security. Data at rest: Files stored on servers, records in databases, etc. Protecting data at rest means using methods such as encryption, anti virus, and firewalls so a malicious actor can’t access information inactive data being stored on a device or network.  Data in transit: Information as it moves between servers and applications such as emails and instant messaging. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving the data via encryption protocols like SSL (Secure Sockets Layer) and TLS (Transport Layer Security) transactions in and out of a server. There are technologies that exist today on the LinuxONE III machine that protect these two states of data and code such as Pervasive Encryption for general LinuxONE workloads, hardware-accelerated technologies and Hyper Protect services. Additional (CPACF coprocessor - to perform the encryption and decryption, Crypto Express Card – to store and present the master key used to encrypt and decrypt the data) However, what is lacking today is protecting the third pillar of data security: Data in use. Data in use: Data in use is data that is being processed by a running application or being accessed by a user. Ex. various applications such as Banking Software, Java Applications, Databases that are all running and may have open sensitive files.  Confidential computing: So, how do we protect data while it is in use? Tech companies are adopting a new security model that they’re calling confidential computing that uses hardware-based techniques (emphasize) to protect data in use. The key is controlling access to the data as tightly as possible and to provide a way to securely process unencrypted data. Keep in mind, the protection of these data states are complementary and do not supersede or replace the other existing protections. So to recap - today, data is often protected at rest and in transit, but not while in use by applications. And, in order to implement technical assurance, end to end protection must be achieved. As a result, organizations with applications that handle sensitive data such as financial transactions, or health information are often unable to take advantage of the benefits of cloud and multi-party computing.
• #10: GCP plans to support: Ubuntu v18.04, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2,