Confidential Computing Beats Homomorphic Encryption for Data Security

For the enterprise, data is like the air we breathe. At the same time, data seems to be indefensible, with data breaches and intellectual property loss a near certainty.

New technologies arrive regularly to offer hope that, ultimately, data in use can, in fact, be protected. Homomorphic encryption has emerged as one interesting option. Confidential computing also is a potential game-changer for data, and it has been widely adopted by public cloud companies, server manufacturers and chip makers.

Today, data can be secured in storage and transit, but it is left wide open during execution. Gain access to a cloud host, for example, and you gain access to data in memory that must remain unencrypted to align with the current laws of computing. In fact, this exposed “data in use” prevents organizations with sensitive or regulated data from using public cloud infrastructure.

Data must be fully and consistently secured, without gaps that attackers or rogue insiders can target. The idea of establishing a secure perimeter for data that stays with the data and applies to its three states—storage, transmission and execution—has long been sought.

One Enterprise Vision, Two Technologies

The promise of self-securing data was perhaps best expressed by a CISO at a SaaS company: “When security flows along with data everywhere, its actual location no longer matters. Even data in completely untrustworthy and risky locations is fully secure. That offers amazing freedom for us to distribute even sensitive data across any cloud and any geography for any reason. For CISOs and the business, that’s incredibly liberating.”

Self-securing data requires eliminating the gap that exists during execution or processing and ensuring uniform, gapless encryption across all data states. Two technologies addressing this challenge are homomorphic encryption and confidential computing.

With homomorphic encryption, in theory, data remains encrypted during execution. Unfortunately, the technology has a long way to go to become scalable and practical for enterprise use. The three types of homomorphic encryption create confusion for enterprises, and each deployment is dictated by the kind of computation required by the CPU. Homomorphic encryption only supports specific arithmetic operations and cannot accommodate general-purpose computing. That means that running an off-the-shelf database holding your customer data is likely out of the question. The millions of vulnerable legacy enterprise applications that would most benefit can’t be protected, either. Despite all the investment and interest, homomorphic encryption is more theoretical at this stage; making it readily usable by businesses remains a challenge.

Another homomorphic encryption issue is speed. The limited computations that fully homomorphic encryption (FHE) could do originally took a trillion times more processing than the same calculation would take unencrypted. While performance has improved significantly over time, it is still far from being ready for practical application.

And that’s where venture capital money in support of homomorphic encryption seems to be flowing. Several recently funded companies are focused on either finding narrow use cases where FHE works or on improving performance, either mathematically or through specialized high-powered hardware. Still, others are focused on cracking the math on FHE to make it more general purpose, if that is possible. Some believe it isn’t.

On the other hand, after years of development, confidential computing is now broadly available. Standard CPUs from Intel and AMD already feature confidential computing capabilities. From AWS to Azure to Google Cloud, public cloud providers all feature confidential computing on their existing hosts around the globe.

Confidential Computing Decrypts Data

Instead of trying to enable computing on encrypted data like FHE, confidential computing decrypts data and operates on it within the protected confines of trusted hardware. It then encrypts results before they are sent to be stored in memory. The effect is that data is never exposed and is always self-secured through encryption. Operating environments and software gain a root of trust that assures the integrity and identity of the hardware and the software running on it.

Confidential computing simply bypasses most of the limitations that hamstring FHE. Calculations, for example, happen quickly, with some minor overhead required for the hardware encryption and decryption. Confidential computing also supports general-purpose computing: Any application that can run in an open environment can theoretically complete in a confidential computing “enclave.”

There are some challenges to confidential computing. Because confidential computing confines itself to securing “data in use” and only on a single host, in practical terms it cannot run distributed applications or those that require networked communications or storage. Those apps would also need to be re-architected to run within a confidential computing environment called a secure enclave.

Finally, similarly to FHE, confidential computing lacks standards. As of this writing, there are at least five different and incompatible confidential computing technologies, some from the same company! More are on the way. Choosing between them isn’t impossible, but is impractical for most enterprises—it requires a commitment to certain CPUs, public clouds, or both.

Countless feasibility studies have proven confidential computing technology secure and viable. With the addition of available software that can make these features fully transparent to developers and operational teams, confidential computing is completely ready for use. Applications and IT infrastructure can use confidential computing without any need for modifications.

Software Solution: Confidential Cloud Computing

The path to resolving the common enterprise challenges presented by confidential computing and FHE was recently outlined by a Futuriom Trends 2022 forum led by Scott Raynovich. Scott described a software construct he called a confidential cloud, a type of “lift and shift” technology that makes the use of confidential computing transparent and without requirements for code or IT process modifications. In a similar approach taken by VMware with regards to virtualization, this software abstracts away the proprietary technology, versioning, hardware, and public cloud. This insulates and future-proofs enterprise IT organizations with confidential computing that supports multiple proprietary technologies and distributed computation, enabling any workload to complete invisibly, in total isolation, and with complete privacy over any public cloud.

As an enterprise with data under increasing threat and withering defenses, where should your smart money and your data go? Confidential cloud computing is the most viable path to data security and amazing data freedom.

Avatar photo

Ayal Yogev

Ayal Yogev is the CEO and co-founder of Anjuna, with 20 years of experience building enterprise security products. Ayal has held multiple senior product management positions including VP of product management at SafeBreach, a Sequoia-backed enterprise security startup; managing the OpenDNS Umbrella product management team that was acquired by Cisco, and managing a product line at Imperva for the three years leading to its IPO. Ayal holds an MBA with honors from UC Berkeley, and Electrical Engineering and Computer Science degrees from Tel Aviv University.

ayal-yogev has 4 posts and counting.See all posts by ayal-yogev