One of the most consequential fields in digital technology saw its first major public event recently, with the inaugural Confidential Computing Summit held in San Francisco on June 29. I was not able to attend but I have been following closely the emergence of this vital industry and the Confidential Computing Consortium (CCC). Here I offer some observations and reflections on what should become the foundational to the digital economy.
In a companion piece to follow, I will go into more detail on the history of hardware-based security industry initiatives, and reasons why Confidential Computing is critical way beyond confidentiality.
Acknowledgement and Declaration: I was helped in preparing this article by Manu Fontaine, founder of new CCC member Hushmesh, who attended the summit. I am a strategic adviser to Hushmesh.
The Confidential Computing mission
Confidential Computing is essentially about embedding encryption and physical security throughout computing for better data protection and integrity of information processing.
The Confidential Computing Consortium (CCC) is a relatively new association comprising hardware vendors, cloud providers and software developers aiming to “accelerate the adoption of Trusted Execution Environment (TEE) technologies and standards”.
Confidential Computing protects data in use by performing computation in a hardware-based, attested Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use, thereby increasing the security assurances for organizations that manage sensitive and regulated data. Reference: CCC.
So Confidential Computing crucially goes beyond conventional encryption of data at rest and in transit, to protect data in use.
If you are at all aware of Confidential Computing, you might have the impression that it’s all about secure cloud and data clean rooms. These are important applications for sure but there’s so much more, as the CC Summit proved.
The #CCSummit
About 250 people attended the one-day #CCSummit at the San Francisco Marriott Marquis. I am told the atmosphere was intense! Sponsorships and attendance were both double the organisers’ expectations.
I was impressed by the breadth of the agenda and the speakers’ perspectives.
- As with any tech conference at the moment, there was lots of AI. And rightly so, as the provenance of machine learning is one of the hottest topics in tech today and the potential for CC to improve accountability for digital artefacts is obvious.
- Yet privacy was the bigger concern by design for the event, as it is a prime driver for Confidential Computing. It was good to see so many facets of privacy being fleshed out, not just confidentiality. concerns of CC.
- Intel Chief Privacy Officer Xochitl Monteon provided a valuable privacy tutorial within her keynote Confidential Computing as a Cornerstone for Cybersecurity Strategies and Compliance, stressing how legislated data privacy now protects over 70% of the world’s population. Monteon argued for protecting data through its entire lifecycle in a CC ecosystem, because otherwise, businesses are being crushed by formal data flow impact assessments. Contrary to popular belief, privacy regimes to not ban data flows — they restrain them.
- Localisation of data processing to particular jurisdictions is a recurring issue in data protection. Location is another one of those signals which we increasingly rely on in data processing, and with its deep hardware connections, CC is going to be beneficial here. Nelly Porter, Google’s Head of Product for Computing and Encryption, was eloquent on the merits of digital sovereignty for emerging economies.
- Academic and entrepreneur Raluca Ada Popa from UC Berkeley advocated for “Privacy-preserving Generative AI” using CC to protect queries with end-to-end encryption, and further, to protect commercially sensitive machine learning models by running them in secure enclaves.
- Rolfe Schmidt from Signal Messenger described innovative use of attested TTEs to execute end-to-end encryption on behalf of end users, in cases where the ideal of keeping all sensitive data on the user’s device is not practical.
- And there was plenty of discussion of Confidential Computing’s safe place, data clean rooms.
Privacy and data control
To appreciate the full potential for Confidential Computing in privacy and data protection, let’s think beyond confidentiality. Privacy is more to do with controlling personal data flows than confidentiality.
The Confidential Computing summit has helped to set the scene for a richer approach to privacy enhancing technologies (PETs). As Associate Professor Raluca Ada Popa explained in her keynote, CC takes PETs well beyond Differential Privacy (which compromises data quality) and Homomorphic Encryption (which protects data in use for many applications but with major performance trade-offs).
At Constellation Research we have always taken a broad view of digital safety, beyond data privacy and cybersecurity. What draws me to Confidential Computing is the possibility of safeguarding entire data supply chains, protecting the properties that make data valuable: clear permissions, authorisations, originality, demonstrated regulatory compliance, peer review and so on. Confidential Computing can provide the story behind the data.