The boom in digital transformation and mass adoption of cloud computing has transformed the business landscape over the past ten years.
Companies have shifted from the expensive, high maintenance burden of managing their own IT infrastructure on site, toward private and public cloud services, drawn in by the promise of flexibility and scalability.
With IT services moving to the cloud, companies can run more efficiently – enjoying reduced management costs, user access from multiple locations, and improved third party data sharing, allowing for more growth and innovation. Financial service companies can, for example, leverage cloud networks to streamline mobile payments or partner with aviation companies to launch airline reward cards.
This immense digital transition has been accompanied by a proliferation of data that continues to grow exponentially and it’s predicted that by 2025, half of the world’s data will be in the cloud.
However, as spending on public cloud services grows – it is expected to hit $591.8 billion this year – so does its allure for threat actors. According to the British government’s 2022 Cyber Breach survey, 39% of UK businesses identified a cyber attack last year, costing medium and large enterprises an average of £19,400 each. Therefore, businesses must have a robust understanding of the outlying vulnerabilities that leave an organisation open to cyber threat.
Cloud service providers and SaaS companies are highly effective at protecting data. Providers will encrypt data using cryptographic protocols like SSL, TLS, or HTTPS, as it travels between client and server ensuring it is secure in transit. While in storage or at rest, data can also be protected with robust encryption standards, such as AES-256, and in addition, with tight access controls such as multi-factor authentication and identity management to ensure only authorised users have access.
That said, the recent attack and resulting cloud service disruption from Western Digital shows that threat actors are not slowing down, and attack methodology is getting more complex.
Even businesses with effective, proven security systems in place continue to fall victim to complex attacks. Enterprises are aware of the risks for data in transit and in storage, but often overlook a key vulnerability on which threat actors are increasingly capitalising: data in use.
For the most part, applications require data to be decrypted for processing, returning it to its encrypted state after completion. Unfortunately, while that information is processed in the system memory, sensitive data is exposed.
With a growing concern amongst security leaders, privacy enhancing technologies (PET) have been developed to plug the gap. Examples include secure multi-party computation, which allows parties to compute a function harmoniously without disclosing each others’ specific input, keeping sensitive information disguised; homomorphic encryption, which creates a space for computations to be performed whilst the data exists in ciphertext, without decryption, reducing the risk of data leaks; and zero-knowledge proofs, which convince a third-party an assertion is true without revealing any further information.
However, these models are not sure-fire solutions to the data in use issue. They are still susceptible to attacks that target underlying firmware and hardware vulnerabilities, compromising the security of the computation and leaving sensitive data exposed.
Fortunately, there is a subset of PET that is able to secure data despite hardware and software sensitivities: confidential computing. Confidential computing creates a secure enclave in system memory underlying a public cloud platform, with extremely tight access controls and embedded encryption and decryption keys that will block access requests from any unauthorised code.
This means that even if there is a vulnerability in an application, operating system, hardware, or firmware, the trusted execution environment denies access and prevents any requested actions from being performed unless the source has explicit permissions.
Confidential computing prevents a scenario where an attacker exploits a vulnerability in an application to gain access to the underlying operating system and access data by nefarious means – either by memory dump, data scrape, or any number of attacks enabled by the operating system’s control of the memory – because the data is kept secure throughout its use. Confidential computing serves as a gateway between data in memory and code, ensuring that even if an attacker could perform a memory dump, the data would still be encrypted and inaccessible.
With cloud computing becoming globally ubiquitous, and vast improvements being made to combat software vulnerabilities, attacks targeting hardware and firmware will only continue to grow in popularity as an attack vector. Confidential computing protects the soft underbelly that hardware provides for attackers and is a tool that offers an increased sense of security for organisations when used alongside a robust, data-led cloud security strategy.
Heavily regulated sectors like healthcare and financial services will likely be the first to adopt confidential computing, but as its effectiveness is proven, I expect to see confidential computing become a security norm across all businesses.
About the Author
David Fairman is APAC CIO & CSO at Netskope. Netskope is a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.
Featured image: ©merklicht.de
