An industry-wide effort is underway to establish standards around confidential computing. F5 believes confidential computing is an important step forward in protecting privacy and preserving the confidentiality of data.
Confidential computing is a technology that protects data during processing.
While cryptography (encryption and decryption) has long been applied to protecting data in flight and at rest, there was little attention paid to protecting data during processing because of the degradation of performance and the implications to application development. Advances in hardware and system design now make it possible. Confidential computing solves the challenge of encrypting data in use by using a high-performing, hardware-based trusted execution environment that requires no changes to applications.
Confidential computing efforts began from a need for privacy and to protect sensitive data when operating workloads in cloud computing environments. Highly regulated industries, who are subject to heavy penalties for even accidental breaches, have long been reticent to migrate to cloud due to a lack, perceived or not, of privacy and an inability to monitor or defend against insider threats in a public cloud environment.
As more organizations move data processing workloads to the edge, edge platforms will need to support confidential computing to protect that data as well. Like cloud computing, the multi-tenant nature of edge raises privacy concerns for customers that can be addressed by confidential compute.
Confidential computing affords organizations in all industries a measure of confidence in the privacy and security of their data. This is particularly important to technology companies, but as organizations progress toward becoming a digital enterprise and data becomes critical to their business it is expected that more of the market will adopt confidential computing to protect data—including all types of code artifacts—during processing.
The vulnerability of data in use has always been present, but the rise of Spectre and Meltdown brought the reality of the CPU as an attack surface to the fore. As Bruce Schneier described in his post:
A number of attacks—advanced persistent threats, RAM scraping, and compromised system environments—all pose a very real threat to data left unprotected during processing. While confidential computing does not prevent speculative execution attacks like Spectre, it does make them much harder to execute successfully.
This is due to the nature of confidential computing, which focuses on encrypting the processes handling data using an encryption key hardcoded into the processor, thereby making it far more difficult for other processes to ‘break in’ and gain visibility into the data. Encrypting the data would make it impossible to process, so this approach instead secures access to the data.
As a security company, F5 is not willing to pass on the responsibility to protect F5 data, IP, and source code to the rigorous standards our customers expect. Our source code is the heart of our products and services, which deliver and protect billions of transactions every day. But like most organizations, we also want to take advantage of all the benefits leveraging cloud provider infrastructure can bring.
To make that possible, the Common Engineering group in the F5 Office of the CTO, along with the F5 cybersecurity team, adopted a confidential computing architecture to protect F5 source code, data, and sensitive keys in cloud infrastructure from third-party access, including cloud service providers. That includes a secure cloud platform accessible only by F5 staff that ensures the confidentiality, integrity, and availability of F5 IP, data, and other assets in the entire software development lifecycle. We chose to partner with Microsoft Azure and leverage their confidential compute platform to deliver these critical services to all of F5 engineering.
Confidential computing gives us the confidence to take advantage of the cloud without compromising on our promise to customers to take security seriously.