Open-source movement fuels push toward confidential computing
Open-source computing is going gangbusters — and that's good news for those seeking better and stronger security in the enterprise.
"The open-source approach delivers code that is developed by a broader community with diverse backgrounds and mindsets," said Mona Vij, the principal engineer of security and privacy research at Intel Labs.
More eyes mean stronger code, especially with the wide range of programming variables now in play. "Studies show that software reviews find more bugs than testing regimes," added Stephen Walli, a principal program manager working in the Azure CTO Office at Microsoft. "That doesn't mean testing isn't incredibly valuable, but healthy open-source project communities gather like-minded developers who collaborate and share their work."
This collaboration is especially valuable in the emerging field of confidential computing. While data is traditionally encrypted at rest and in transit, confidential computing protects data while it's being processed, using hardware-based techniques to isolate data, specific functions or an entire application from the operating system, hypervisor or virtual machine manager. Data is processed in "secure enclaves" — trusted execution environments, or TEE — where it's impossible to view the data or operations performed on it from outside. The TEE ensures that only authorized code can access the data, keeping information away not only from cloud or infrastructure providers but also external threat actors. If the code is altered or tampered with, the TEE denies the operation.
Hardware platforms, ISVs and CSPs are using trusted execution environments to protect data in use - open source-licensed projects are a natural way to encourage experimentation, learning and adoption"
It's a powerful new approach to security that will certainly benefit from an open-source mindset. "With the growth of hardware platforms, ISVs and CSPs using trusted execution environments to protect data in use, open source-licensed projects are a natural way to encourage experimentation, learning and adoption," Walli said.
Users agree. A global survey of 1,250 IT leaders by Red Hat found that most of the respondents (87%) view open source software as being either "more secure" or "as secure" as proprietary software.
The power is in the precision of approach that open source encourages, allowing users to run security audits, inspect for any backdoors and run tools to find any vulnerabilities. Vij illustrated this with a contrasting example: "TEEs provide a mechanism called 'attestation' to prove to a remote party that you are indeed running in a TEE. If the source code that you are expected to verify is a closed source, you are at the mercy of the closed-source vendor to do the right thing. Open source widens it up to a like-minded community trying to create the strongest environment possible."
A powerful platform
At the center of the confidential computing movement is the Confidential Computing Consortium, a community of hardware vendors, cloud providers and software developers focused on accelerating the adoption of industrywide standards for confidential computing and promoting the development of open-source confidential computing tools. The CCC supports many open-source projects — including the Open Enclave SDK, Enarx, Occlum, Graphene, Keystone and Veracruz — that help developers build applications that run across TEE platforms.
The consortium, launched under the auspices of The Linux Foundation, works to define standards for confidential computing and supports the development and adoption of open-source tools. Members include technology heavyweights such as AMD, Arm, Facebook, Fortanix, Google, Huawei, IBM (through its subsidiary Red Hat), Intel, Microsoft, Swisscom and VMware.
In recent months, too, we've also seen the appearance of the first DevOps tools, namely Inclavare and Marblerun. "I see it as a great sign of maturity for confidential computing that more and more blank spots on the open-source map are closing," said Felix Schuster, co-founder of Edgeless Systems.
With Marblerun, for instance, it is possible to have secure and scalable cloud-native confidential-computing apps running on vanilla Kubernetes.
Confidential computing is of particular interest to sectors that handle sensitive personal, commercial or governmental data. The big use case that is emerging for confidential computing is allowing secure data analytics between parties that require a high level of trust in their interactions. Early adopters include the health, research and government sectors, with the finance sector leading the way, said Dave Thaler, chair of the CCC's Technical Advisory Council and a Microsoft software architect.
As an example, Vij said: "We have one partner who wants to build a secure system with SGX and they chose Graphene as a framework for running their CC workloads, mainly because it's open source and they must build their complete health industry use case with open-source software."
In this case, she added, "open source not only speeds up the transition to confidential computing, but it's a requirement."
And that's a view that many expect to see increase in the months and years ahead.