Financial firms lock down their data with confidential computing
As financial firms face an endless and unrelenting array of digital theft and fraud, they are increasingly banking on a security approach based on confidential computing, a concept that has moved quickly from research projects into fully-deployed offerings across the industry.
Confidential computing works to plug a gaping hole in data security. Data exists in three states: in transit when it is moving through the network; at rest when stored; and in use as it's being processed. Data is often encrypted while at rest and in transit, but not when it's being processed. Confidential computing helps close this security hole during this third state by securing a portion of the processor and memory to provide a protected and isolated environment for the code and data, called a trusted execution environment.
"Confidential computing is going to play a big role in the future of financial services."
The TEE isolates the programs and the data while they're executing from the rest of the system and reduces the possibility that private info can be seen by parties or programs which are not authorized to view it — even the cloud provider can't touch it.
That's appealing for enterprises that must manage large amounts of sensitive data that's frequently in use and rapidly moving among multiple locations: on-premises, in the cloud and at the network edge.
Royal Bank of Canada, for instance, serves 17 million clients in Canada, the United States and 34 other countries. That's an enormous number of people, with each one requiring personalized service and offers. It does that through the Virtual Clean Room, a multiparty data sharing and insight-generation platform built on Microsoft Azure confidential computing. VCR allows companies to collaborate on shared datasets, while enforcing information security and ensuring client privacy as each party views its respective dataset. For example, when a client uses an RBC credit card to make purchases at retail businesses, the bank has a horizontal dataset that shows where the client shops.
Retailers, on the other hand, have deep vertical data about customer purchases, but no visibility into other places where that customer shops. The VCR platform generates and shares insights with both the vertical and horizontal information without providing access to any individual or groups of customer datasets, which are kept confidential and protected. The result: RBC client data is protected, while the clients gain the benefit of smarter, personalized and more relevant services and offers.
Confidential computing has a similar appeal for Fireblocks, which must secure an intensive data-sharing operation. Fireblocks is building a digital asset platform to secure blockchain-based assets and transactions for the financial industry. While blockchain-based assets by themselves are cryptographically secure, "moving digital assets is a nightmare," said Michael Shaulov, CEO and co-founder of the company, which handles $120 billion of those assets each month.
Billions of dollars in digital assets have been stolen by hackers over the last two years through private key theft, spoofing and compromised credentials, Shaulov noted. Binance, for example, lost $40 million in bitcoin in May 2019 due to an insecure hot wallet and compromised API credentials. Once they realized the traditional tech stack was not suitable for their security needs, they turned to confidential computing, he said.
Here's how it works. Fireblocks implements all the communication stack between network participants inside of trusted execution environments (specifically Intel SGX, software guard extensions), Shaulov told SecurityWeek. The TEEs are isolated on the chipset level, and their data and code are protected from compromise from the underlying OS.
"The Fireblocks' components that run inside of the enclave protect the API keys and secrets, and run the whole SSL and REST-API stack inside of the secure enclave," he said. "This allows chip-level isolation of not only the API-SECRET data, but also the whole communication between the counterparty, and block malware and MitM [man-in-the-middle] attacks from spoofing the communication."
Fighting digital fraud
The confidential computing security approach is also effective in anti-money laundering efforts, which often involves a number of people and thus "tends to be a team sport," said Michael Reed, Intel's director of confidential computing.
Confidential computing can be employed in an AI-based money laundering detection approach utilizing federated learning. In this strategy, disparate teams (often in different companies) work collaboratively to create a shared prediction model. Unlike standard machine learning approaches that require data centralization, federated learning allows for training data to be kept in local environments, such as a bank's internal systems, with no need to store the data in the cloud.
In a federated learning system designed to root out money laundering, banks could use each other's transaction data to build more capable models without exposing their raw data to competitors.
"They could come up with a shared algorithm that's informed by the data and then redistribute that algorithm," Reed said. "They can use confidential computing to make sure that the right programs are operating on the right data and that data can stay where it resides in the bank as opposed to being shared across industry boundaries."
Reed noted that there are all sorts of scenarios in the financial services industry where confidential computing could help coordinate data moving across company boundaries. These include credit qualification, market-rate calculations, credit scores and loan fulfillment.
Financial fraud isn't waning, experts say, and as it increases, security tools designed to protect the data in use need to get stronger to combat more complex fraud. Reed said: "Confidential computing is going to play a big role in the future of financial services."
Learn more about confidential computing: