Couldn’t attend Transform 2022? View all summit sessions in our on-demand library now! Watch here.
With confidential hardware-based computing technology, computing workloads are protected from their environment and data is encrypted even during processing — all remotely verifiable.
Felix Schuster, CEO of privacy startup Edgeless Systems, said the “huge and previously unsolved” problem he faces is: How do you process data on a potentially compromised computer?
“Private computing allows you to use the public cloud as if it were your private cloud,” he said.
To extend these capabilities to the popular Kubernetes platform, Edgeless Systems today released its first Confidential Kubernetes platform, Constellation. This allows anyone to keep Kubernetes clusters verified by underlying cloud infrastructure and end-to-end encrypted.
MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, California.
As Schuster put it, confidential computing will soon be a ubiquitous, mainstream requirement. In fact, in some European countries in the eHealth space, confidential computing is already a regulatory requirement.
“People will want it and expect it for most workloads, just like they expect antivirus and firewalls,” he said. “CISOs will soon have to explain to their CEOs why they don’t use confidential computers.”
Fast growing confidential computing market
Confidential computing is what some – including Edgeless Systems – are calling a revolutionary new technology that could change the cybersecurity game. And, it is growing rapidly in adoption.
According to the Everest Group, a “best case scenario” is that confidential computing will achieve a market value of approximately $54 billion by 2026, representing a compound annual growth rate (CAGR) of a whopping 90% to 95%.
All segments — from hardware, software, services — will grow, the company predicts. The expansion is fueled by business cloud and security initiatives and increasing legislation, particularly in privacy-sensitive industries including banking, finance and healthcare.
To promote more widespread use, the Linux Foundation recently announced the Confidential Computing Consortium (CCC). This project community is dedicated to defining and accelerating the adoption and establishment of technologies and open standards for Trusted Execution Environment (TEE), the underlying architecture that supports confidential computing.
The CCC brings together hardware vendors, developers and cloud hosts and includes commitments and contributions from member organizations and open source projects, according to its website.
Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat and IBM have already developed confidential computing offerings. A growing number of cybersecurity companies, including Fortinet, Anjuna Security, Gradient Flow and HUB Security also provide solutions.
The power of “whole cluster” attestation.
Constellation is a Cloud Native Computing Foundation (CNCF) certified Kubernetes distribution that runs the Kubernetes control layer and all nodes inside confidential VMs. This provides runtime encryption for the entire cluster, Schuster explained.
This is combined with “cluster-wide” attestation, which protects the entire cluster from the underlying infrastructure “as one big opaque block,” he said.
With cluster-wide authentication, whenever a new node is added, Constellation automatically verifies its integrity based on the remote hardware root authentication capability of trusted VMs. This ensures that each node is running in a confidential VM and running the correct software (ie, official Constellation node images), Schuster said.
For the Kubernetes administrator, Constellation provides a single remote assertion that verifies all of this. While remote attest statements are issued by the CPU and look a lot like a TLS certificate, the Constellation CLI can provide automatic verification.
Essentially, every node is verified. “The Kubernetes manager verifies the verification service and therefore temporarily knows that the entire cluster is trusted,” Schuster said.
Constellation says it’s the first software to make confidential computing accessible to non-experts. Releasing it as open source was critical because attestation is a key feature of confidential computing. In closed-source software, establishing trust in an assertion statement is otherwise difficult, Schuster said.
“The hardware and capabilities required for Constellation for the most part weren’t even available in the cloud 12 months ago,” he said. “But we’ve started the necessary work to ensure Kubernetes users can secure all their data — at rest, in transit and now in use.”
More secure computing workload
Constellation requires no changes to workloads or existing tools and ensures that all data is encrypted at rest, in transit and in use, Schuster explained. These properties can be verified remotely based on hardware-rooted certificates.
Not even privileged cloud administrators, data center employees, or advanced persistent threats (APTs) in the infrastructure can access data inside Constellation. This helps prevent data breaches and protects against infrastructure-based threats such as malicious data center employees or cloud hackers. It enables Kubernetes users to move sensitive workloads to the cloud — thereby reducing costs — and build more secure SaaS offerings.
Constellation works with Microsoft Azure and Google Cloud Platform. Eventual support for OpenStack and other open source cloud infrastructure, including Amazon Web Services (AWS), is planned, Schuster said. Constellation is now available on GitHub.
“By making Constellation available to everyone,” Schuster said, “we can help accelerate the adoption of more secure cloud computing workloads.”
VentureBeat’s mission is set to be a digital town square for technical decision makers to learn about and transact business-transformative technology. Discover our Updates.