Reflection of illuminated office building in glass office facade

Confidential computing for total privacy assurance

9 min read

Data protection and privacy challenges in the cloud

Two businesswomen in discussion across office desk

As we enter a new normal period of accelerated digital transformation post-COVID, the vast number of organizations are now relying heavily on public and hybrid cloud services. And companies in highly regulated industries, now more than ever, find themselves needing cloud services that offer a greater level of protection and privacy.

As a result, data privacy and protection outside of the traditional perimeter and in the cloud have become a chief information security officer’s (CISO’s) imperative. The global average cost of a data breach in 2020 was USD 3.86 million and 52% of those breaches were caused by malicious attacks.¹ With these increases in data breaches, an enterprise’s data protection and privacy in the cloud is at stake as it needs one single point of control that provides a holistic view of threats and mitigates complexity.

The data protection needs of organizations are driven by the concerns about protecting sensitive information, intellectual property, and meeting compliance and regulatory requirements. In today’s digital global economy, data is one of the most valuable assets so data must be protected end to end – when it’s at rest, in motion and in use.

Data is often encrypted at rest in storage and in transit across the network, but applications and the sensitive data they process — data in use — are vulnerable to unauthorized access and tampering while they are running. Even when encrypted at rest, depending on where it’s encrypted, either the data or the encryption keys could be vulnerable to unauthorized access. According to Gartner, by 2025, 50% of large organizations will adopt privacy-enhancing computation for processing data in untrusted environments to protect data in use.²

The dilemma for organizations is how do they independently retain ownership and control of their data while still driving innovation? Protecting sensitive data is vital to an enterprise’s cloud data security, privacy and digital trust.

As enterprises contemplate moving sensitive data and workloads to the public cloud, they’re looking for ways to address the following concerns:

Is my data and my customers’ data safe in the cloud?
How do I meet regulatory and privacy requirements?
How can I ensure that my cloud provider has no access to my data?
How do I protect personal identifiable information (PII)?
How do I preserve privacy of user and business data?
How do I preserve privacy of data while performing analytics and AI modeling or sharing data with other third parties?

When hosting their data with cloud providers, companies want to have complete authority over their valuable data and associated workloads, including no access to sensitive data for even their cloud providers.

So how can you protect your sensitive data in the public cloud?

Encryption is a key technical measure to safeguard data in the cloud. The loss of data often leads to loss of customer trust with serious financial consequences. Regulatory compliance often mandates encryption of data at rest and in transit or strongly encourages it as a technical measure to protect data. And regulatory compliance requirements can be complex and the penalties significant. Extensive use of encryption, data loss prevention, threat intelligence sharing, and integrating security into the development, security and operations process (DevSecOps) were all associated with lower-than-average data breach costs.

Among these safeguards, encryption had the greatest impact. Deploying extensive encryption can be a substantial cost-mitigating factor in the event of a data breach — as the average total reduction in the cost of a breach due to extensive encryption was USD 237 thousand in 2020.¹

Yet, data protection through encryption is only as strong as your ability to protect the keys used to encrypt the data. With constant threats of external cyberattacks and insider threats, now, more than ever, there’s a need for workload isolation, data encryption, trusted execution environments, and other security practices and tools to protect your most sensitive workloads.

How can you mitigate these concerns and risks?

The current approaches to securing data is through data at rest and data in transit encryption. However, the challenging problem resides in gaining technical assurance that only you have access to your data or keys and protecting sensitive data in use to provide protection at all stages of data usage. Due to the growing understanding of the need for data in use protection, the adoption of confidential computing is increasing.

The term confidential computing refers to cloud computing technology that protects data while in use. The technology helps reduce security concerns as companies adopt more cloud services. The primary goal of confidential computing is to provide greater privacy assurance to companies that their data in the cloud is protected and confidential and instill confidence in moving more of their sensitive data and computing workloads to any location, including public cloud services.

Diagram showing existing protections on data at rest and data in transit and an increasing focus on data in use which is what confidential computing is about

Protect data across the compute lifecycle. To achieve the highest level of commercial privacy assurance, IBM goes beyond confidential computing to help protect your sensitive data across the entirety of the compute lifecycle — providing you with complete authority over your data at rest, in transit and in use.

What should you know about protecting your data across the lifecycle? Explore the following chapters to learn more about confidential computing and how it can help with data privacy and protection in your hybrid cloud environments.

¹ Cost of a Security Breach Report, Ponemon Institute, 2020

² Top Strategic Technology Trends for 2021, Gartner, January 2021

Back to table of contents

7 min read

How confidential computing addresses total privacy assurance

Why adopt a confidential computing approach?

To protect sensitive data, even while in use and to have full authority over your data and keys.

Confidential computing protects sensitive data when used together with data encryption at rest and in transit, along with exclusive control of keys. It thereby eliminates the single largest barrier to moving sensitive or highly regulated data sets and application workloads from an inflexible, expensive on-premises IT infrastructure to a more flexible and modern public cloud platform.

To protect intellectual property.

Confidential computing isn’t just for data protection. Data owners and data scientists can use this approach to protect proprietary business logic, analytics functions, machine learning (ML) algorithms or entire applications.

To collaborate securely with partners on new cloud solutions.

For example, one company can combine its sensitive data with another company’s proprietary calculations to create new solutions — without either company sharing any data or intellectual property it doesn’t want to share.

To eliminate concerns when choosing cloud providers.

Confidential computing lets a company choose the cloud computing services that best meet its technical and business requirements without worrying about storing and processing customer data, proprietary technology, and other sensitive assets. This flexibility helps alleviate any additional competitive concerns if the cloud provider also provides services to competing businesses.

To protect data processed at the edge.

Edge computing is a distributed computing framework that brings enterprise applications closer to data sources, such as Internet of Things (IoT) devices or local edge servers. When it’s used as part of distributed cloud patterns, the data and application at edge nodes can be protected with confidential computing.

What is confidential computing?

Confidential computing is a cloud computing technology that isolates sensitive data and code in a protected CPU enclave during processing. The contents of the enclave — the data being processed, and the techniques used to process it — are accessible only to authorized programming code, and invisible and unknowable to anything or anyone else, including the cloud provider.

It protects data during processing and, when combined with storage and network encryption with exclusive control of encryption keys, provides end-to-end data security in the cloud.

For years cloud providers have offered encryption services for protecting data at rest in storage and databases, and data in transit, moving over a network connection. Confidential computing eliminates the remaining data security vulnerability by protecting data in use — that is, during processing in a runtime.

How confidential computing works

IBM’s approach is to help provide total privacy assurance with confidential computing. Protecting sensitive data requires a holistic approach — spanning compute, containers, databases and encryption.

Diagram highlighting keeping your own keys when data is in use

Before data can be processed by an application, it’s unencrypted in memory. This step leaves the data vulnerable just before, during and just after processing to memory dumps, root-user compromises and other malicious exploits.

Confidential computing solves this problem by using a hardware-based trusted execution environment (TEE), which is a secure enclave within a CPU. The TEE is secured using embedded encryption keys, and embedded attestation mechanisms that help ensure the keys are accessible to authorized application code only. If malware or other unauthorized code attempts to access the keys, or if the authorized code is hacked or altered in any way, the TEE denies access to the keys and cancels the computation.

In this way, sensitive data can remain protected in memory while it’s decrypted within the TEE to processing. While decrypted and throughout the entire computation process, the data is invisible to the operating system, other compute stack resources, and to the cloud provider and its employees.

Technical assurance delivers the highest level of privacy and protection

Operational assurance means your cloud provider will not access your data based on trust, visibility and control. Technical assurance makes certain your cloud provider cannot access your data based on technical proof, data encryption and runtime isolation — and can protect your CI/CD pipeline from bad actors.

Operational assurance
Cloud provider will not access your data

Diagram explaining operational assurance is how a cloud operator will not access data based on visibility and control when the customer ‘s data is in use

Technical assurance
Cloud provider cannot access your data

Diagram explaining technical assurance is how a cloud operator cannot access data when the customer ‘s data is in use

So, who do you have to protect against? You want to have the highest technical assurance that cloud administrators, vendors, software providers and site reliability engineers (SREs) can’t access your data while in use.

Explore the next chapter to learn more about the services to protect your sensitive data.

Back to table of contents

11 min read

A holistic approach to total privacy assurance

How to protect data with full authority — at rest, in transit and in use

Protecting sensitive data requires a holistic approach — spanning compute, containers, databases and encryption. The key is controlling access to the data as tightly as possible and provide a way to securely process unencrypted data. It’s important to have technical assurance that only you have access and control over your data and to ensure your cloud service operators can't access the data or keys. The protection of these data states is complementary and doesn’t supersede or replace the other existing protections.

Diagram highlighting the value of confidential servers, containers and databases

Hyper protect your sensitive data and workloads in the cloud. IBM’s capabilities include industry-leading security services for cloud data, digital assets and workloads. They’re built on IBM® LinuxONE security-rich enclaves, which offer built-in protection for data at rest and in flight, plus protection of data in use. The services are designed to make it easy for application developers to build applications that deal with highly sensitive data while helping companies meet regulatory compliance requirements.

Explore how IBM Cloud® Data Shield and IBM Cloud Hyper Protect Services can help protect your sensitive data across the compute lifecycle.

IBM Cloud Data Shield helps protect your containers. The technology supports user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels.

IBM Cloud Data Shield is designed to help simplify the process of creating enclaves, managing security policies and enable applications to take advantage of confidential computing. Most importantly, it allows the developer to achieve this level of security with no code change.

Supports user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels.

Enables users to protect containerized applications in a secured enclave on a Kubernetes service and Red Hat® OpenShift® clusters.

Helps developers to seamlessly protect containerized cloud-native applications, without needing any code change.

Delivers a platform built on Intel SGX and Fortanix Runtime Encryption. It extends Intel SGX language support from C and C++ to Python and Java, and provides SGX applications for MySQL, NGINX and Vault.

Steps to install IBM Cloud Data Shield

Provision your IBM Cloud Kubernetes Service or Red Hat OpenShift cluster.

Install IBM Cloud Data Shield on your cluster.

Bring your container-based apps.

Convert to protected container — DevOps.

Deploy on IBM Cloud Data Shield.

IBM Cloud Hyper Protect Services. These services enable enterprises to have complete authority over their sensitive data, workloads and encryption keys. Not even IBM Cloud administrators have access.

How sensitive is your data?

Confidential and regulated	Highly confidential	Restricted and proprietary
Employees pay stubs	Government identification numbers	Strategic business plans
Customer information	Social security numbers	Intellectual property and patents
Personal contact information	Driver’s license	Trade secrets
Customer preferences	Financial transactions	Undisclosed annual reports
Credit cards	Digital asset	Crown jewel data
Nonpublic contracts	Information that could pose an identity threat
Nondisclosure agreements (NDAs)	Healthcare (PII) data
Offering roadmaps
Communications

The family of IBM Cloud Hyper Protect Services enables end-to-end protection for companies’ business processes in the cloud, and is built on secured enclave technology that uses the industry’s first and only FIPS 140-2 Level 4 certified cloud hardware security module (HSM).

IBM mainframe-level data security in the public cloud delivers IBM’s single-tenant key management service, keep your own key (KYOK) and the industry’s highest-level security.

Industry’s BYOK	Cloud key management capabilities	IBM’s KYOK
	Customer key lifecycle management
	As a service, integrated with cloud services
	Clients can bring their keys from on-premises HSM
	Operational assurance: Provider will not access keys
	Technical assurance: IBM cannot access keys
	Single-tenant, dedicated-key management system
	Client has exclusive control of the HSM master key
	Highest-security level: FIPS 140-2 Level 4 HSM
	Client manages master key with smart card
	Client can perform key exchange ceremony

Access the highest level of privacy assurance with our portfolio of IBM Cloud Hyper Protect Services.

IBM Cloud Hyper Protect Crypto Services

Keep your own key for data encryption

Cloud data encryption that’s protected in a dedicated cloud hardware security module.

KYOK, single-tenant key management service with key-vaulting provided by dedicated, customer-controlled HSMs and that supports industry standards, such as PKCS #11.

IBM Cloud Hyper Protect Crypto Services is also the only service in the cloud industry that is built on FIPS 140-2 Level 4-certified hardware.

IBM Cloud Hyper Protect DBaaS

Complete data confidentially for your sensitive data

Fully managed and highly secured databases, it provides a high level of data confidentiality for your sensitive data.

Offers enterprise cloud database environments with high availability for workloads with sensitive data.

Built on IBM LinuxONE technology, it provides built-in data encryption along with excellent vertical scalability and performance. It helps protect against threats of data breaches and data manipulation by privileged users and provides a high level of data confidentiality for data owners.

Provision, manage, maintain and monitor databases, MongoDB and PostgreSQL, through standardized APIs.

IBM Cloud Hyper Protect Virtual Servers

Control workloads with sensitive data or business IP

Complete authority over your IBM LinuxOne Virtual Servers for workloads with sensitive data or business IP.

Keeps out unauthorized users, designed to address your top security concerns, and provides a confidential computing environment even IBM Cloud administrators can’t access.

Use your own public Secure Socket Shell (SSH) key to maintain exclusive access. Support for the industry’s bring your own key (BYOK).

Use case: Securing digital assets

A digital asset exchange wants to separate its signing module and private keys from its crypto exchange module. The signing module and private keys are used in the process of signing Digital Ledger Technology (DLT) transactions.

The challenge

The organization aims to prevent bad actors from getting access to both the signing module and the private keys. If a malicious actor gains access to the private keys, then the intruder could get access to all the assets on the exchange’s digital ledger — the coins.

The solution

Deploy the signing module and private keys into IBM Hyper Protect Virtual Servers images running on IBM LinuxONE.

The outcome

Once separated, the exchange can now securely host and run its critical application container, which hosts the signing module, as well as a database hosting the users’ private keys.
The signing module and private keys are now protected and can only be accessed to execute a DLT transaction by the right credentialed users.

Back to table of contents

4 min read

Case study for IBM Cloud Hyper Protect Services

Young boy using a digital tablet at night in bed

Solitaire Interglobal Ltd. makes storytelling accessible with Wenebojo and IBM Cloud Hyper Protect Services.

Wenebojo, a new offering from Solitaire Interglobal Ltd. (SIL), gives people with vision or hearing loss, post-traumatic stress disorder (PTSD), autism or other challenges an opportunity to enjoy stories told in a uniquely engaging and accessible format. Wenebojo is a streaming service that offers stories delivered as book casts, so they’re stories that can be watched.

As the team at SIL began to develop the offering, they identified Wenebojo’s underlying infrastructure would need to be extremely reliable because any disruption of service would undermine the platform’s entire purpose. The solution would also need to protect data and privacy, because book casts are made with original content and delivered to private citizens all over the world. The platform would have to be highly scalable, able to absorb a growing number of users without interruption.

IBM Cloud Hyper Protect Services solution, built on the IBM Z® and IBM LinuxONE architecture, helped make the Wenebojo offering possible by providing a security-rich infrastructure designed for high availability and scalability. In the first five months after the project went live, the platform logged approximately one million attempted attacks. None of them were successful.

The infrastructure solution features the IBM LinuxONE platform and three IBM Cloud Hyper Protect Services offerings: the IBM Cloud Hyper Protect DBaaS solution for data confidentiality, IBM Cloud Hyper Protect Virtual Servers technology for access control, and IBM Cloud Hyper Protect Crypto Services software for key management. This combination of products provides SIL with an ideal environment for Wenebojo: the IBM Z architecture and the IBM LinuxONE platform, optimized for IBM Cloud, are designed for security, reliability and scalability, while the IBM Cloud Hyper Protect Services solution offers a convenient “as-a-service” model.

“We’ve been conducting a global security watch for over 22 years now, and we get reports from millions of businesses worldwide on the impact of security breaches. We know how much it costs, what gets lost, how long it takes to recover, et cetera. Being able to keep client data private and the intellectual capital of the writers protected is a very big thing for us.”

— Kat Lind, CEO, Solitaire Interglobal Ltd.

Read the case study

Back to table of contents

3 min read

Case study for IBM Cloud Data Shield

Aerial view of electrical utility lines in grassy field

Irene Energy embraces confidential computing to safely deliver electricity.

The tech startup had a breakthrough idea for bringing affordable electricity to remote parts of Africa. Blockchain technologies, built on confidential computing, were key to that vision, providing robust data security in the cloud.

The team found a solution in IBM Cloud. Unlike many cloud architectures, IBM Cloud bare metal servers can use an Intel technology called Intel Software Guard Extensions (SGX). SGX enable confidential computing by creating an encrypted “enclave” within the server’s memory that allows applications to process data without other users of the system being able to read it.

But building applications that can take advantage of SGX is complex and time-consuming. To get the platform to market quickly, Irene Energy’s developers needed to find a shortcut. IBM Cloud Data Shield helped with the complexity of building SGX-enabled apps.

IBM Cloud Data Shield enabled Irene Energy to containerize its applications and run them on SGX-enabled bare metal worker nodes within IBM Cloud Kubernetes Service. Instead of requiring Irene Energy to design its applications specifically for SGX, IBM Cloud Data Shield automatically converts the code to be compatible with the SGX features. It also provides a catalog of preoptimized components that are designed for developers to easily plug into their applications. For example, Irene Energy was able to integrate its application with an NGINX web server and a MariaDB database from the catalog within just a few hours.

“IBM Cloud Data Shield has probably accelerated the development of our platform by six months. We can get to market much sooner because we don’t have to build SGX-compatible components from scratch.”

— Guillaume Marchand, Founder, Irene Energy

Read the case study

Back to table of contents

2 min read

Why IBM for confidential computing?

High angle view of a group of call center agents working in an office

IBM’s portfolio of cloud service offerings can help your enterprise:

Protect sensitive data at rest, in transit and in use. With IBM’s security-first approach and framework you can attain your data protection and privacy requirements and mitigate risks by meeting any regulatory requirements. Protecting sensitive data requires a holistic approach—spanning compute, containers, databases and encryption.
Deliver the highest level of commercial technical assurance. IBM Cloud Hyper Protect Cloud Services enables end-to-end protection for business processes in the cloud and is built on secured enclave technology. It delivers the highest level of key management protection through FIPS 140-2 Level 4 HSM.
Gain complete authority over your data. Single-tenant key management services, with integrated HSMs, provide complete control of cloud data encryption keys for data encryption at rest and private keys related to data in transit. The portfolio enables the span of confidential databases, confidential servers and confidential containers, which enable you to have complete authority over your data with technical assurance.

Take the next step to explore how our cloud services can help you enable confidential computing in your hybrid cloud environments.