Confidential computing plays critical role in keeping government data safe
When the COVID-19 crisis crippled societies last year, the collective worldwide race for a cure among medical researchers put a spotlight on the immense power of big data analysis and how sharing among disparate agencies can save lives.
The critical need to exchange information among hundreds of international agencies or departments can be tough to pull off, especially if it's medical, financial or cybersecurity information that is highly protected by regulatory guardrails.
In addition, government agencies and their valuable databases are often in the crosshairs of hackers bent on acts of cyber warfare. The U.S. Department of Homeland Security identifies 16 "critical infrastructure sectors," such as transportation and drinking water, that are vital to the nation. These are areas whose assets, systems and networks, whether physical or virtual, are considered so essential "that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety," the report reads.
A walled garden
With this kind of backdrop, government security officials around the world must seek out and employ the very best security measures, and that's where confidential computing comes in. The confidential computing approach protects critical information by isolating sensitive data in a protected, hardware-based computing environment during processing. It allows governments to share the results of machine-learning inferencing on highly-protected or sensitive data sets without requiring them to share the data sets themselves.
Here's how it works: While data is traditionally encrypted at rest and in transit, confidential computing protects data while it's being processed, using hardware-based techniques to isolate data, specific functions or an entire application from the operating system, hypervisor or virtual machine manager. Confidential computing defines protected private memory areas — called enclaves or trusted execution environments (TEE) — to increase the security of application code and data. The transmitted information is encrypted and then decoded once inside the enclave — think of it as a high-tech walled garden. It's impossible to view the data or operations performed on the data in the TEE if you're on the outside. The TEE ensures that only authorized code can access the data, keeping information away not only from cloud or infrastructure providers but also from external threat actors. If the code is altered or tampered, the TEE denies the operation, protecting it from unauthorized use and manipulation.
The result of this approach is that government agencies could enjoy the benefit of cloud-scale machine-learning inferencing without giving up any intellectual property, sensitive criminal investigations or other potentially damaging information to malicious hackers.
"The ability to securely collect, collate, and process data across organizations has always been a challenge for governments," said Hugh Eaton, the vice president of worldwide government at Microsoft. "This is especially true for agencies involved in program benefits and fraud prevention, law enforcement and the criminal justice system, critical infrastructure and defense organizations. Confidential computing helps to remove these barriers, allowing agencies to meet their commitments to the people and communities they serve."
From health care to financial protection
There are a host of government challenges that confidential computing could help address in critical areas ranging from digital identity and cybercrime prevention to machine-learning modeling.
In drug development, for instance, partnered health organizations can combine large data sets to unlock the potential of machine learning — when a model with more data is more accurate — but data is sensitive. Each facility can only see its data set and their patient data is protected. No other facility or even the cloud provider can see the data or training model. Each facility that contributed to training the model can use it and receive useful results.
The Spanish Department of Health, for instance, uses a confidential computing platform with privacy-preserving analytics to accelerate the development and validation of clinical algorithms used in drug development models. The platform significantly reduces the time and cost of developing clinical algorithms, per Spanish officials.
Confidential computing can play a critical role in health care outside of drug development. German citizens must have public or private health insurance, and can choose from different providers. Germans who are registered for public health care insurance can request an electronic patient record from their insurance company. This file digitally stores all medical records as well as information on diagnoses, examinations, test results and treatments.
At the same time, the country also has one of the most wide-ranging sets of laws and compliance regulations when it comes to collecting and processing personal data. The German government has strict rules to protect its digital medical records, which contain highly-sensitive information, such as diagnoses, test results and therapy suggestions. Every provider must ensure data protection within the records, such as encryption through protocols and during transmission. Confidential computing now plays a critical role in that safe processing of information.
A similar data-sharing scenario might occur in the financial industry when secure multiparty computation can be used to detect a money-laundering operation and fraud. Multiple banks can, for example, securely combine data without exposing the personal data of customers. Analytics on the aggregated larger data set can detect the movement of money by one user between multiple banks, without the banks accessing each other's data.
In June, the Monetary Authority of Singapore, for instance, sent a note to the CEOs of all the country's major financial institutions noting that they "should implement appropriate data security measures to protect the confidentiality and integrity of sensitive data in the public cloud, taking into consideration data-at-rest, data-in-motion and data-in-use where applicable." Their suggested solution: "confidential computing solutions if available."
This trend will continue to accelerate. "As the operational environment for governments continues to become more complex with the growing sophistication of computer-based attacks, confidential computing will play a critical role in scaling data in the cloud across the private and public sectors globally," said Eaton. "We'll see this both through the infrastructure directly and the services and applications running on top of confidential computing hardware."