Powering Next Generation Privacy Controls with Platform Attestation

Powering Next Generation Privacy Controls with Platform Attestation

Tech Blog

With the frequency of serious and costly data breaches increasing, how can a company be sure that its data remains confidential – especially if that data is extremely sensitive? Among the highly regulated industries that have the most concerns and continue to face costly data breaches are the healthcare, financial, manufacturing and education sectors. Since the average cost of a data breach in these industries ranges from roughly $4M to $7M, it is not surprising that these same sectors are keenly interested in data privacy and new approaches such as confidential computing to avoid data breaches in cloud and on-premises data centers.

Establishing a Trusted Environment

Confidential computing is an emerging industry initiative aimed at preserving privacy and confidentiality and ensuring compliance with government regulations. Established in October 2019, the Confidential Computing Consortium (CCC) consists of hardware vendors, cloud providers and software developers who are experts at addressing data security in its three states: in transit, at rest and in use. Data moving in the network (in transit), data in various forms of storage (at rest) and data being processed (in use) all need the highest level of protection with hardware-based trust; this is especially true for data in use.

To underscore the need for protecting data privacy and confidentiality, market research firm Gartner predicts that by 2025, 50% of large organizations will adopt privacy-enhancing computation for processing data in untrusted environments and multiparty data analytics use cases.

Regulatory Compliance Driving New Approaches to Data Privacy

Regional governments around the world continue to enact new data privacy regulations that create various constraints and liabilities for organizations. For example, Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)  may make data custodians directly responsible when the data of users, customers, or clients is leaked due to a breach. With the potential cost of a data breach under the GDPR reaching as high as 4% of gross annual revenue, data custodians are strongly incentivized to protect potential surface areas against attack, including data-in-use.

In the United States, the Executive Order on Improving the Nation’s Cybersecurity dated May 12, 2021 calls for substantial improvements in the federal government’s cloud-based, on-premises, or hybrid computing systems, highlighting the need for increased data security at the national level.

As part of its Risk Management Framework (RMF), the draft NIST SP 800-53A Rev. 5 “Assessing Security and Privacy Controls in Information Systems and Organizations” published August 2021 provides a control assessment methodology to help identify security and privacy strengths and weaknesses within systems.

As such, an enterprise or cloud service provider with data centers in different parts of the world running different workloads can encounter different issues, requirements or obstacles in their efforts to comply with the variety of regional regulations.

Intel® Software Guard Extension (SGX) Technology       

Improved firmware security and security at the platform level are required to address the sharp increase in cybersecurity threats and government regulations. To help protect data while it is actively used in memory, Intel® Software Guard Extensions (Intel® SGX) provides application isolation technology. In addition, Intel® Security Libraries for Data Centers (Intel® SecL – DC) was built to aid customers in adopting and deploying Intel security features, such as the Secure Key Caching Use Case. 3rd Gen Intel® Xeon® Scalable Processors from Intel® feature these key security technologies to help provide assurance that the data center and all server hardware residing there is secure.

Enabling Confidential Computing

AMI TruE® platform attestation enables confidential computing that isolates sensitive data in an encrypted CPU enclave during processing. It leverages these same Intel® SGX and Intel® SecL-DC technologies found in 3rd Gen Intel® Xeon® Scalable Processors from Intel® to provide a true trusted environment for confidential computing and secure cloud execution through assured integrity of all platform firmware.

AMI TruE uses RESTful APIs to integrate into other data center management environments. Supply chain attacks can be easily avoided by attesting the shipped firmware and software hash information with the attestation server upon installation into an existing trusted environment. After deployment, server trust validation continues to attest the integrity of the firmware and software running throughout the data center.

The AMI TruE platform attestation solution is a great addition for cloud service providers looking to augment their cloud-native security and for organizations running sensitive workloads on-premises.

Use Case Examples

Organizations running sensitive workloads, particularly in highly regulated industries, know that they must stay on top of constantly evolving threat vectors to protect critical business data and preserve confidentiality. Here are some examples of how they can employ confidential computing to stay in step with regulations and drive new efficiencies:

Multi-party Collaboration in Healthcare

Although healthcare companies need to collaborate for enhanced diagnostics, they are generally reluctant to share patient data with each other on machine-learning projects aimed at discovering new medical treatments. Using confidential computing, they can collaborate with their own data sets to train a machine-learning model without exposing sensitive information.

 Edge and IoT Security for 5G Communications

Much of today’s sensitive data is processed at the edge and needs to be protected there. Edge computing is a distributed computing paradigm that brings computation and data storage closer to data sources such as IoT devices and local edge servers to improve response times and save bandwidth. When this framework is used with the cloud, confidential computing can help protect against data breaches during data processing at edge nodes.

Data security and privacy enforcement will be stringent as we see wider adoption of 5G. Data collection and processing will explode at 5G edge data centers, where they will process highly sensitive PII data compared to traditional data centers. Because the potential for damage due to a security breach in 5G is enormous, data security and privacy is a fundamental requirement for the continued adoption and success of 5G.

 It’s a Matter of Trust     

Most cloud services providers and organizations do not have their own specially developed trust mechanisms and custom solutions for attestation. Yet they still need to establish a trusted environment that leverages a standards-based approach to run and protect their sensitive workloads. Confidential computing enabled by AMI TruE platform attestation is a reliable solution to establish trust – so privacy is preserved, confidentiality is ensured and the various regulatory requirements are met.

To learn more:

Visit ami.com/true and schedule a consultation today at ami.com/contact

Intel, the Intel logo and Xeon are trademarks of Intel Corporation or its subsidiaries.

About AMI

AMI is Firmware Reimagined for modern computing. As a global leader in Dynamic Firmware for security, orchestration, and manageability solutions, AMI enables the world’s compute platforms from on-premises to the cloud to the edge. AMI’s industry-leading foundational technology and unwavering customer support have generated lasting partnerships and spurred innovation for some of the most prominent brands in the high-tech industry. 

You May Also Like…