CIO OPINION
Unfortunately , there is one more state that data exists in , and the security effectiveness around data in transit and data in storage has driven some attackers to pursue it as a relatively new attack vector : data in use .
Many applications decrypt data for processing and do not encrypt it again until after analytical functions , calculations or other activities are complete . And while the information is in the system ’ s memory , it is exposed to possible attack .
Over the past year or so , attackers have become increasingly capable of compromising applications , firmware or hardware in ways that give them access to data in use . The threat that data might be extracted during processing is growing so rapidly that companies need to start considering how their cloud providers and business partners plan to address the risk .
Privacy-enhancing technologies ( PETs ) are designed to protect data in use . Examples of these technologies include multiparty computation , zeroknowledge proofs and homomorphic encryption . Multiparty computation allows for parties to jointly compute a function over their inputs while keeping those inputs private .
Zero-knowledge proofs allow an entity to convince a third-party of an assertion without revealing any further information beyond the fact that the assertion is true . Homomorphic encryption enables a system to process and analyze data in a secure , encrypted format without needing to expose the raw data in memory . The trouble with these and other PET methods is that they can be susceptible to underlying firmware and hardware vulnerabilities .
This is where a subset of PET solutions called ‘ confidential computing ’ comes into its own . Confidential computing creates a secure enclave within the system memory underlying a public cloud platform .
This enclave is a container that has extremely tight controls around exactly which code can access the data within the container . The secure enclave embeds encryption and decryption keys , as well as access controls , within the system memory and it blocks access attempts by any code that is not specifically authorized to be there .
So , even if there is a vulnerability in an application , operating system , hardware or firmware , no malware will be able to access or manipulate data within memory unless it has explicit permission to do so . For all unauthorized code , the trusted execution environment denies access and prevents any requested actions from being performed .
A confidential computing approach essentially keeps data secure the whole time it is undergoing analysis or computation .
www . intelligentcio . com INTELLIGENTCIO APAC 45