#4 – The Next Generation of Cyber Security: Confidential Computing

Tom Garrison: Hello, and welcome to the Cyber Security Inside podcast. In this podcast, we aim to dig into important aspects of Cyber Security, which can often be highly complex and intimidating and break them down to make them more understandable. We aim to avoid jargon and instead use plain language for thought provoking discussions. Every two weeks, a new podcast will air. We invite you to reach out to us with your questions and ideas for future podcast topics.

I’d like to introduce my cohost, Camille Morhardt Technical Assistant, and Chief of Staff at Intel’s Product Assurance and Security Division. She’s a Co-Director of Intel’s Compute Lifecycle Assurance, an industry initiative to increase supply chain transparency. Camille’s conducted hundreds of interviews with leaders in technology and engineering, including many in the C suite of the Fortune 500.

Hi, Camille, how are you doing today?

Camille Morhardt: Doing well. It’s autumn., beautiful time of year in Portland.

Tom Garrison: It is. It’s gorgeous outside. So I’m wondering, what would you like to discuss today?

Camille Morhardt: Well, Tom, I remember when people used to be afraid to put their data on the public cloud and it seemed like we had to make some sort of a trade off, right. Either I’m going to keep my data on my personal device, or if I’m an enterprise on-prem maintain complete control over it and know that I’m secure. Or I’m going to go with the convenience and the economy of scale, putting it on the public cloud and I’m going to worry about how safe it is.

And today increasingly I would, I would even say with COVID, I’m hearing more and more consumers and enterprises actually comfortable moving their data to the public cloud.

So I’m wondering first, what are the reasons today that people are interested in moving their data to the public cloud setting security side for a moment. And second from a security perspective, did something change that’s making people more comfortable now or what should I be aware of if I’m considering moving data to the public cloud?

Tom Garrison: This is a deep topic for a fall day. So let’s just think about this on a consumer use case and then we’ll talk about corporate in a second. On the consumer use case, it’s kind of interesting, cause I remember even myself years ago where we were talking about things like, you know, family pictures, wedding pictures, pick kids’ pictures, and would I, or any of my colleagues ever consider putting a hundred percent of those pictures in the cloud exclusively. And without exception, everyone said no. And I think back then it was a sense of control.

You know, my sense now is that people are more comfortable with the idea that these cloud providers really know what they’re doing and the chances that they would lose your photos or whatever is much, much lower than you would screw up your device or your device would die at home and you would lose your pictures.

Camille Morhardt: Right. You essentially have IT in the cloud, whereas at your house, you’re your own IT.

Tom Garrison: Exactly, but then now you get to commercial. And with commercial, there’s more complexities, right? You get the cost angle because if you’re going to pay somebody else to do this, there’s always going to be a cost to it. And can the other people manage your data in a lower cost fashion than you can do it yourself? And then there is this sticky issue of trust. Do I trust the data will be safe, especially for enterprises where the data is sort of the crown jewels of the company?

Camille Morhardt: But let’s say that I want to be able to do that in a way that I can maintain either my privacy or my IP. You know, we had talked previously about not wanting to share and usage patterns of our compute devices, right. But if there were a way that my personal data could be protected and I could perhaps set the parameters for, to use or its disposal, um, and then there were a way for a company let’s say a machine learning algorithm or something to come sit on my device, or maybe in the cloud where my data is also stored and run and do some learnings on that data while still maintaining protection of my privacy. I might actually be interested in that.

Tom Garrison: Yeah, I think most people would. That’s sort of the Holy Grail when it comes to confidential computing in the cloud, where you can protect data from any unintended intended use. And so making sure it’s secure and that hackers can’t get to it or other applications can’t misuse that data in some way. That’s the value proposition behind confidential computing.

Camille Morhardt: And then there’s this one other conundrum I’m thinking about it a little bit, which is, I know that a lot of enterprises are moving towards some services in the public cloud, like email say for their employees; part of the reason is they don’t have to worry about the limited infrastructure that may be multiple concurrent VPNs is allowing it. Now it’s just bandwidth directly from the employee to the public cloud.

On the converse, don’t we still have to worry about as we’re moving more and more to internet of things, just exactly that same concern: getting data from a thing to the public cloud is now posing a bandwidth constraint or a latency problem that wouldn’t have been there otherwise, if I were processing onsite.

Tom Garrison: Sure, you’re absolutely right. That is the sort of perennial challenge when it comes to huge data. Yeah. I think that’s the episode for today. So I think we’ve got it. You good with that?

Camille: I’m great.

Tom Garrison: All right, let’s go for it.

Our guest today is Jack Gold. Jack is Founder and Principal Analyst at J Gold Associates, LLC. And has a wealth of experience and expertise in the computer and electronics industries. He conducts analytical market research and advises numerous clients on many aspects of enterprise systems, including business analysis, strategic planning, architecture, product evaluation and selection as well as enterprise application strategy. So is perfect guest for us today.

I’m trying to think back, Jack, how long you and I have known each other and our best guess was about 15 years we’ve worked together.

Jack Gold: Yeah, Tom. I think it’s been that long. Of course we’re all six years old when we started so it’s not much of a problem.

Tom Garrison: That’s right. Oh boy. Yeah, it was pre-gray hair, I know that for me. We’re here really wanting to talk about the concept of being able to create enclaves within the hardware that are safer relative to the rest of the system so you can do confidential code execution and other things inside these enclaves as well as the more broad topic about confidential computing.

So I wonder Jack, if we just start with, you know, environmental scan on confidential computing, like where do you see it playing a larger role, an outsized role in terms of the kinds of users or usages around SGX and confidential computing?

Jack Gold: Yeah. Tom, confidential computing is one of those terms that kind of means different things to different people. When we’re talking about data–data about you and I, or corporate data or financial data–generally, when we talk about that data being safe because it’s encrypted. And that’s true. It is encrypted. It’s encrypted at rest. When it’s in a database it’s encrypted while it’s traveling over network. But generally speaking, once that data starts being processed, it’s no longer encrypted.

So it’s available–if you can get into the processor–you can see that data essentially in the clear. Confidential computing, to me, means two kind of circles if you’re looking at a Venn diagram, right?–the two circles we were just talking about encrypted data at rest, encrypted data as it’s traveling over network, but the third circle needs to be safe, data being processed. And we need to be able to, to assure that well, that data might be somehow in the clear while it’s in your computer. If I have access to your computer or access to your app, or it’s just a bad app, that I don’t all of a sudden have access to what was encrypted data that’s not right out in the open and I could make use of. So confidential computing is really all of that.

Tom Garrison: That’s interesting. And do you see particular users or, or industries that are embracing the concept of confidential computing more so than others or do you see this as kind of a broad appealing capability?

Jack Gold: The appeal of confidential computing really is across industries. It’s everywhere. When you think about what gets processed in a company that isn’t confidential anymore; my social security number, my driver’s license number that I give to somebody, healthcare provider has all my medical details, that’s worth a lot of money to people.

So we’re kind of talking about servers and data centers and clouds just now, but also at the front end think about all the data that we have on our PCs and even our smartphones. So it’s a broad concept that really needs to fit in the entire life cycle of computing, not just in one area.

Camille Morhardt: Is this something that we worry about for just on-prem or you described, you’re talking about public cloud concerns? Do consumers need to be concerned, as well?

Jack Gold: Oh, absolutely. There’s absolutely a need to have this in the cloud. Look, in most cloud environments, data that’s running in an app is being shared on the same piece of hardware via virtual machine has probably tens, dozens, hundreds of other applications running on that same machine. And if there’s no way to segment out those virtual machines to protect them from one another, if I have a bad app running, somehow I get it to run in, pick your favorite cloud, can it get access to an adjacent virtual machine and get the data out of that machine that has of great value?

So when we talk about confidential computing, we’re talking about individual computers, whether it’s a personal computer or whether it’s a server in a corporation, but we’re also talking about public cloud and private cloud as well.

Camille Morhardt: So basically, anybody–enterprise or consumer–who’s storing any kind of a data on a public cloud or a hybrid is using a hybrid cloud environment, needs to consider what the public cloud provider is doing with respect to this protecting data, as you say, while it’s being processed.

Jack Gold: Yes. Look, people want data about you and me. They can get real value out of that and sell it for a lot of money. So if I don’t have a way of protecting that, there’s a lot that people already know about me, but there’s a lot more that they could garner. So I need to be aware of where my data resides. If it’s in the cloud, or if it’s in Google cloud, AWS, Azure, how do I know that that data is safe?

And if I’m an enterprise that has access to that data and that data gets compromised, I’m going to feel the pain in a number of ways. First of all, there are a lot of regulations against disclosing data. Look at what’s going on in Europe with the privacy laws there compared to the U.S. There’s some real fines going on.

Secondly, if there is a data breach, IBM and the Ponemon Institute, did a study showing that in the U S a typical enterprise data breach cost that company over $8 million to mitigate. That’s pretty significant amount of money to have to put out because of having a compute system that isn’t completely protective of the data,

Tom Garrison: You know, in preparation for this podcast today, you sent over a couple of your reports and I read through them and I just pulled out a couple of data points that I thought were fascinating and they came from the Verizon Security Report. But it said 39%t of companies have reported in 2020 that they were breached and up 6% from the year prior. But even more interesting was these behavioral, all aspects around security. 62% admitted that they sacrifice security due to expediency; 52% sacrificed due to convenience; and 46% admitted to sacrificing security because of profitability.

Jack Gold: Yeah, Tom, I think the real issue with security in general is that it’s hard to do it’s complex. And if you’re in a hurry and you need to get something out there, you’re going to put it out there and probably bypass some of the best-in class security measures that you should be doing simply because of expediency.

Especially because of COVID, companies needed to roll out 20,000 desktops in two days or a week, you bypass a lot of stuff to keep your company running. But even beyond that, even other companies that had the time perhaps to do it right, haven’t really done it right. And the reason is because typically large companies can have two, three, 400 different security products running in their networks and in their data centers. How do you possibly manage all that stuff? The industry has made it really hard for companies to do security well.

Camille Morhardt: So I guess just to get really simple, if I’m IT, what am I looking for to see if the hardware is protected?

Jack Gold: So if you’re IT, what you really want to know is whether the hardware that I’m working on has a vaulted area. It’s called different things by different vendors–SGX with Intel, Trust Zone on Arm, it’s other things with other guys. But what you really want to know is whether that’s available, whether that vault is even built in.

The second thing you want to know is, is the operating system interacting with it? Does Windows know that that vaulted system is there and is it working to make sure that anything it’s executing in Windows is actually running in that vault rather than running in main memory, un-encrypted.

It’s a little harder when you’re running in the cloud because you don’t actually own the hardware. You’re using somebody else’s hardware—you’re using Amazon’s hardware or Google’s hardware. And so you have to rely on them to tell you whether that’s there or not. How many people are actually asking for that right now, I would guess are probably a pretty small number. We have to raise the awareness that that’s even available. And then have those companies know that knowing that it’s available, ask for it by name.

Tom Garrison: Having this be something that is on their radar to ask for is something that would be a value for, for the listeners here.

Jack Gold: If you’re not asking for it, you’re putting your company at risk. It’s really that simple.

Camille Morhardt: Hey, Jack, you’re described like this Venn diagram of the three different places that data is right–at rest, in transit, or in process being processed. Why is it that we don’t already have everything covered?

Jack Gold: That’s a great question. And the holdup has been that if you don’t do it right, it really hurts it a lot. And so adding hardware that builds that protected vault, that enclave, that area where no one can get in–where bad apps aren’t able to penetrate side channels, aren’t able to get in–means, that you’ve got an area within the chip that is really kind of its own processing area. And so it has to have, has to be able to get data in and get data out and process at the same speed as the rest of the chip. That’s a hardware problem. That’s also a microcode problem. It’s a software problem. And so it’s complicated.

In the past, I think a lot of people have tried to do this. TPM chips were a great example. The reason they never really took hold is because there were separate chips. They had to go over a bus. They had to go over an interconnect. And the performance hit that you took, the latency on processing that data was, was pretty large. And so if you’re, if you were just processing a couple of chunks of data, it’s no big deal. If you’re processing a big Oracle database, it’s a big deal. I think we’re getting better at it. And so I think you’ll see it in a lot more chips and the impact on processing will be relatively minor.

Camille Morhardt: Are you saying you’re going to ultimately see all of the applications that are running while they’re being processed in essentially a vault or an enclave? Or are we always going to be selective about what is running in the enclave?

Jack Gold: Honestly, it will depend on how good a job you do at creating the hardware and how good a job do you do at the OS level. Until we get to that point, there probably will be some selection of, “do I run it in the vault or do I not run it in the vault?” based on the performance that I need.

Tom Garrison: Right. So what other opportunities do you see within the next say year or two, you would recommend sort of best practices or something along the lines of, of what we’re talking about here with, you know, hardened security. Are there any other things that the listeners here should take away advice that you give them?

Jack Gold: Yeah. I think there are a few things you need to think about. Number one is you need to look at the entire compute chain. You need to look at it, not just from the hardware side, but also the OS and the application side. I want to go talk to SAP or, or Oracle, or Salesforce or whoever your primary vendor is. I want to go talk to them about the fact that I understand that there are now, there is now a possibility of running in a protected, vaulted, confidential computing environment. What are you doing to support that? Do you support it today? And if you don’t support it today, when will you? and how do I get my applications into that vaulted environment?

The second thing I would say that you need to think about, people often have servers in place for five, seven, eight, 10 years. But those aren’t the ones that are running the, you know, the heavy duty databases. Those are the email servers that kind of filtered down through the channel from high end to low end, as they got older. And people just kind of ignore them, getting new servers these days are not that expensive. And so if you’re really going to run stuff on-prem, you really need to be thinking about how you’re going to bring up a confidential computing environment on-prem.

If you’re running it in the cloud, you need to ask your cloud provider, whether they support it. And eventually, longer term, what all companies should be thinking about is having these kinds of confidential computing, vaulted systems, trusted execution environments on every piece of hardware from smartphones, through PCs, through servers and into the cloud. Cause ultimately, that’s the only way you can get maximum protection.

Tom Garrison: So I’d like to transition to one of these fun things that we do with all the guests. It has to do with our favorite virus, called COVID-19 now. What have you either come to love after having to go through this whole sort of working-from-home–work changes and personal changes–that you love? and, or something that you absolutely just cannot wait to get rid of?

Jack Gold: Great question. So look, it’s nice to be able to work from home. It’s nice to be able to get up in the morning, commute about 12 feet and get to my desk–whether I had my pajamas on haven’t had my coffee yet, didn’t call my hair, no one knows. Now the downside of course, is that it also means that I’m sitting at my computer potentially sitting at my computer at midnight because I just thought of something I needed to do and I might as well do it now. So the balance is kind of gone. My dog does remind me every once in a while that I’m home and that he needs attention. So that’s probably okay. It gets me up and walking around.

Honestly, the part that I’m really getting unhappy about is the number of Zoom meetings (laughs) it’s getting to be I’m Zoomed out. Look, it’s just not the same as you and I sitting in a room face-to-face over a cup of coffee and. So I’ve, I’ve actually just for the most part, I just turned my camera off and just kind of do my thing (laughs)

Tom Garrison: Nice. You know, it did, it did occur to me. You mentioned your dog. Imagine how neurotic our pets going to be when we finally do all go back to work? Furniture is going to get torn up, the carpet is going to get ripped up, you know, Lord knows what else is going to happen (laughs). So I think there’s a business opportunity there about whether it’s dog daycare or whatever it’s going to be, but we have some pretty pampered dogs that are going to have a rough reentry when we finally go back to work.

Jack Gold: Absolutely. I agree with you. And you know, the one nice statistic about it is that if you look at shelters, shelters are for the most part are out of pets because so many people are adopting them, which is actually wonderful. I mean, I for one–kind of a commercial message here–cause our, our guy is, uh, adopted from a shelter. So that’s the good news. My fear of Tom on the negative side is that when people go back to work, they start bringing those pets back to shelters. And I sure hope that doesn’t happen.

Tom Garrison: Yup, agreed. Well, Hey Jack, thank you very much for spending time with us. I know it’s been a great conversation and, I think there was a lot of really good insight that was included in what you shared with us. So thank you for your time and for all of our listeners, we will catch you again and a couple of weeks.

Subscribe and stay tuned for the next episode of cyber security inside. Follow @tommgarrison on Twitter. To continue the conversation. Thank you for listening.