Confidential Computing: Hardware Based Memory Protection

This book highlights the three pillars of data security, viz protecting data at rest, in transit, and in use. This book highlights the three pillars of data security, viz protecting data at rest, in transit, and in use. Protecting data at rest means using methods such as encryption or tokenization so that even if data is copied from a server or database, a thief cannot access the information. Protecting data in transit means making sure unauthorized parties cannot see information as it moves between servers and applications. There are well-established ways to provide both kinds of protection. Protecting data while in use, though, is especially tough because applications need to have data in the clear—not encrypted or otherwise protected—in order to compute. But that means malware can dump the contents of memory to steal information. It does not really matter if the data was encrypted on a server’s hard drive if it is stolen while exposed in memory.​ As computing moves to span multiple environments—from on-premise to public cloud to edge—organizations need protection controls that help safeguard sensitive IP and workload data wherever the data resides. Many organizations have declined to migrate some of their most sensitive applications to the cloud because of concerns about potential data exposure. Confidential computing makes it possible for different organizations to combine data sets for analysis without accessing each other’s data.