Is confidential computing the future of cybersecurity? Edgeless Systems is counting on it

With the hardware-based confidential computing technology, computer workloads are shielded from their environments, and data is encrypted even during processing — and all of this can be remotely verified. 

Felix Schuster, CEO of emerging confidential company Edgeless Systems, said the “vast and previously unresolved” problem this addresses is: How do you process data on a computer that is potentially compromised?

“Confidential computing lets you use the public cloud as if it was your private cloud,” he said.

To extend these capabilities to the popular Kubernetes platform, Edgeless Systems today released their first Confidential Kubernetes platform, Constellation. This allows anyone to keep Kubernetes clusters verifiably shielded from underlying cloud infrastructure and encrypted end-to-end.

As Schuster put it, confidential computing hardware will soon be a ubiquitous, mainstream requirement. In fact, in some European countries in the eHealth space, confidential computing is already a regulatory requirement.

“People will want and expect it for most workloads, just like they expect antivirus and firewalls to be present,” he said. “CISOs will soon need to explain to their CEOs why they’re not using confidential computing.” 

Rapidly expanding market for confidential computing

Confidential computing is what some — including Edgeless Systems — are calling a revolutionary new technology that could change the cybersecurity game. And, it is rapidly growing in adoption. 

According to Everest Group, a “best-case scenario” is that confidential computing will achieve a market value of roughly $54 billion by 2026, representing a compound annual growth rate (CAGR) of a whopping 90% to 95%.

All segments — from hardware, to software, to services — will grow, the firm predicts. Expansion is being fueled by enterprise cloud and security initiatives and increasing regulation, particularly in privacy-sensitive industries including banking, finance and healthcare. 

To promote more widespread use, the Linux Foundation recently announced the Confidential Computing Consortium (CCC). This project community is dedicated to defining and accelerating adoption and establishing technologies and open standards for trusted execution environment (TEE), the underlying architecture that supports confidential computing. 

The CCC brings together hardware vendors, developers and cloud hosts, and includes commitments and contributions from member organizations and open-source projects, according to its website.

Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat and IBM have already deployed confidential computing offerings. A growing number of cybersecurity companies including Fortinet, Anjuna Security, Gradient Flow and HUB Security are also providing solutions.

The power of ‘whole cluster’ attestation

Constellation is a Cloud Native Computing Foundation (CNCF)-certified Kubernetes distribution that runs the Kubernetes control plane and all nodes inside confidential VMs. This gives runtime encryption for the entire cluster, explained Schuster. 

This is combined with “whole cluster” attestation, which shields the entire cluster from the underlying infrastructure “as one big opaque block,” he said. 

With whole cluster attestation, whenever a new node is added, Constellation automatically verifies its integrity based on the hardware-rooted remote attestation feature of confidential VMs. This ensures that each node is running on a confidential VM and is running the right software (that is, official Constellation node images), said Schuster. 

For Kubernetes admin, Constellation provides a single remote attestation statement that verifies all of this. While remote attestation statements are issued by the CPU and look much like a TLS certificate, Constellation’s CLI can provide automatic verification.

In essence, each node is verified. “The Kubernetes admin verifies the verification service and thus transitively knows that the whole cluster is trustworthy,” said Schuster. 

Constellation says it is the first software that makes confidential computing accessible for non-experts. Releasing it as open-source was critical because attestation is a key feature of confidential computing. In closed-source software, establishing trust in an attestation statement is otherwise difficult, said Schuster.

“The hardware and features required for Constellation mostly weren’t even available in the cloud 12 months ago,” he said. “But we started the necessary work to ensure Kubernetes users can secure all their data — in rest, in transit and now in use.”

More secure computing workloads

Constellation doesn’t require changes to workloads or existing tooling, and it ensures that all data is encrypted in rest, in transit and in use, explained Schuster. These properties can be verified remotely based on hardware-rooted certificates.

Not even privileged cloud admins, data center employees, or advanced persistent threats (APTs) in infrastructure can access data inside Constellation. This helps prevent data breaches and protect infrastructure-based threats like malicious data center employees or hackers in the cloud fabric. It allows Kubernetes users to move sensitive workloads to the cloud — thus reducing costs — and to create more secure SaaS offerings.

Constellation works with Microsoft Azure and Google Cloud Platform. Eventual support for OpenStack and other open-source cloud infrastructures including Amazon Web Services (AWS) are planned, said Schuster. Constellation is now available on GitHub. 

“By making Constellation available to everyone,” said Schuster, “we can help accelerate the adoption of more secure cloud computing workloads.”