What is confidential computing exactly? Fortanix CEO explains
When it comes to data encryption, confidential computing is one of the fast-growing solutions in the enterprise market.
In fact, Everest Group predicts that the confidential computing market could grow to $54 billion by 2026, with vendors ranging from Microsoft, Intel and AMD all using the technology to help organizations protect their critical data assets.
But what is confidential computing exactly?
Recently, VentureBeat completed a Q&A with Anand Kashyap, CEO and cofounder of Fortanix, a confidential computing organization founded in 2016, which is now valued at over $122 million. Kashyap explained what confidential computing is, how it works, and how it can help organizations protect their data from threat actors.
Below is an edited transcript of our conversation.
VentureBeat: In simple terms, what is confidential computing, and how does it protect sensitive data?
Anand Kashyap: Confidential computing protects data “in use” by performing computation in a hardware-based trust execution environment (TEE) following attestation, which prevents unauthorized access and protects applications and data during processing.
With this technology, which Fortanix pioneered, it is possible to keep data secure even when hackers get physical access to servers, and/or have root passwords.
Confidential computing is a way to decouple security from your infrastructure. Even if your infrastructure is compromised, your data remains secure. This is such a sophisticated level of security that it opens up many new use cases and helps derive much more value from your data.
It is the underpinning of several important data security use cases and is becoming increasingly strategic in the data security industry, with cloud providers, ISVs and chip vendors supporting it, and regulatory agencies now taking a keen interest.
VB: Could you elaborate a little on how Fortanix used confidential computing to help Goldman Sachs secure cross-border data transfers?
Kashyap: In order to realize the value in their institutional data, Goldman Sachs needed to provide access to this data while meeting the strict regulatory obligations associated with their Swiss operations.
Using the isolation and integrity guarantees provided by confidential computing, Goldman Sachs were able to implement business logic over their data encryption keys that enabled access for approved applications outside of Switzerland, while maintaining the necessary governance and compliance requirements. All of this is achieved with a full audibility of key usage.
The ability to geo-fence data using arbitrary business logic and attention of physical hardware is an important benefit of Fortanix’s implementation of confidential computing, which we have also demonstrated for TGen, who sought to train AI models over genomic data that was subject to EU GDPR regulation.
Confidential computing in the cloud
VB: Any comments on the adoption of confidential computing more broadly?
Kashyap: The growing trend in cloud migration is leading to the adoption of confidential computing to provide isolation of applications and data from the cloud service provider.
This prevents access to workloads from cloud administrators with root privileges, and prevents data loss through subpoena by foreign or domestic governments. We have worked with a law firm that had previously suffered a data breach as a result of this action when using cloud infrastructure without the protection afforded by confidential computing.
We are also seeing customers adopting confidential computing to address the requirements of zero-trust architecture (ZTA), as defined by NIST, and to mitigate the risks posed by vulnerable perimeter security.
One of the interesting applications of confidential computing that Fortanix supports is the protection of blockchain validator nodes and warm wallets, to prevent node slashing in proof-of-stake blockchains and prevent unauthorized access to digital assets.
Based on our work in decentralized finance (DeFi), we think that confidential computing will be a fundamental component of central bank digital currency (CBDC) systems in the near future.
VB: What are the key challenges in securing data as it lives and breathes in a hybrid/multicloud environment?
Kashyap: Managing encryption for five or six different hybrid, public-cloud and on-premises environments increases complexity, cost and security risk.
As workloads move to the cloud, keeping cryptographic keys and shared secrets secure as well as making them available to applications and services regardless of where they run, is critical to successful digital transformation.
One of the main challenges of securing data across environments is that each individual environment has its own protocols and processes, meaning you need people with the knowledge to manage it all both efficiently and securely.
Generally speaking, this added complexity reduces transparency across the organization and increases the chances that data may leak or slip through the cracks.
For example, many cloud service providers allow customers to bring their own keys (BYOK), but how can organizations manage them across cloud services? Our platform is an example of one that enables customers to bring their own key management system (BYOKMS) where encryption keys can be stored in their own datacenter with a single point of control for management and audibility.
Both risk and complexity are significantly reduced when organizations control their own keys. For example, they can move applications bound by compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS) to the public cloud.
Further, many companies want to move to the public cloud but are held back by regulators who insist that they manage their own keys and secure them by storing them in FIPS 140-2 Level 3 certified hardware security modules (HSMs).
Organizations in sectors including financial services, healthcare and other highly regulated industries have an easier time meeting compliance requirements with a modern, flexible, key management solution.
The key players
VB: Who do you see as the key players in confidential computing, and what differentiates them from your perspective?
Kashyap: Obviously, the hardware manufacturers are vital to the development, standardization and future interoperability of confidential computing technology. Intel, Arm, AMD and Nvidia are all members of the Confidential Computing Consortium (CCC), in which Fortanix has held leadership roles since it was founded in 2019.
The other key players are the hyperscale cloud service providers, who are providing the global infrastructure necessary to increase the adoption of the technology. Again, Microsoft and Google were inaugural members of the CCC with Fortanix.
While AWS has not joined the CCC, so far, it is actively developing its confidential computing offer, and Fortanix has customer deployments using the AWS Nitro Enclaves technology.
Fortanix is differentiated in the confidential computing space as [our technology is] both hardware-agnostic and cloud-agnostic. Fortanix is also unique in its ability to protect data at rest.
Confidential computing vs. encryption
VB: What differentiates confidential computing from other approaches to encryption?
Kashyap: Confidential computing is often compared to other privacy-enhancing technologies (PETs), such as homomorphic encryption (HE) and secure multi-party computation (SMPC). These alternative methods to protecting data in use rely on cryptographic protocols that encipher the computational payload.
While there is a role for this type of data in use protection, in practice the cryptographic solutions for data security are heavily constrained in the scope of their potential application and their computational performance. Typically, the number of collaborating parties is very limited and the volume, and type, of data that can be processed are also restrictive.
Fortanix has always achieved competitive success against vendors of cryptographic data in use protection. This success is based on the flexibility of confidential computing and developments in the available infrastructure to deploy it.
Essentially, confidential computing is differentiated by the ability to run any arbitrary software within a TEE, which is not the case with cryptographic methods.
Consequently, complex application workflows, such as AI training and inference, can be supported using the massive volumes of data required. Using attestation between different compute resources, it is also possible to scale confidential computing to meet the requirements of large enterprises and to deliver extensible multi-party architectures for data analytics.
“Whereas cryptographic methods are generally limited to a handful of collaborating parties, due to the complexity introduced by the underlying cryptography and the effects on system latency, confidential computing can enable collaborative frameworks for any number of participants. This is vital in areas such as federated machine learning and secure data exchanges, where limits on capacity and performance undermine the use case.
New implementations, new use cases
VB: What’s next for Fortanix in 2023?
Kashyap: We continue to develop our confidential computing technology and we are focused on the commercialization of the technology, following successful production implementation by our initial customers.
We will continue to expand upon our multi-platform, multicloud ethos, which will enable customers to deploy services wherever they need to secure their data. For us, confidential computing forms the underpinning for a lot of our thrust in data security, enabling a number of mainstream use cases.
Fortanix will be delivering some innovative new technologies at the forthcoming HIMSS 2023 and RSAC 2023 industry events in April, and we are collaborating with customers and partners in the development of new confidential computing implementations that leverage the expertise we have built up since the company was founded in 2016.
We expect to maintain our leadership in the application of confidential computing and we will continue to communicate the broad range of technical applications and use cases that we support during the year ahead.
VB: Are there any other comments you’d like to add?
Kashyap: We were pleased to see that Satya Nadella, CEO of Microsoft, mentioned one of our leading customer use cases in BeeKeeperAI in his keynote delivery at Microsoft Build and Microsoft Ignite in 2022. We are continuing to work closely with our strategic partners to build market awareness of the benefits of confidential computing.
One area where we provide industry-leading capability is in the protection of AI/ML workloads. We launched the Fortanix Confidential AI service in November 2021 and we are expanding this service to provide integrated model defense with Bosche AIShield and additional algorithm and model support with strategic AI partners.
We consider that the integration of data and application security within AI pipelines is crucial to the ethical development of AI systems and the protection of intellectual property reflected in the resultant AI models.
While Fortanix does not develop AI models, we have pioneered the application of confidential computing in this area, with published use cases in healthcare and financial crime prevention.
We are now working in the area of generative AI, where interaction with centralized AI services requires privacy and confidentiality protection, and we expect to publish new applications of confidential computing that will support the growing interest in this field of AI research.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.