We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

We need a Let’s Encrypt movement for Confidential Computing

00:00

Formal Metadata

Title
We need a Let’s Encrypt movement for Confidential Computing
Subtitle
The importance of protecting data in use
Title of Series
Number of Parts
542
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Most CISOs and a great majority of developers are not aware of the importance of encrypting data in use (the core idea behind Confidential Computing). Confidential Computing is evolving rapidly and is starting to gain adoption by CSPs, but user adoption is still slow. But what if encrypting data in use became the default way to deploy applications, both in the Cloud and even on premises? In this session, we’ll discuss what are the main roadblocks towards this vision, what we can do about it, and what are the main implications if encrypting data in use becomes the norm. There are three states in which data can be protected: at rest, in transit, and in use. Encrypting data at rest (e.g. files, objects, storage) and in transit (e.g. TLS, HTTPS) have become a common practice, while encrypting data in use (the core idea behind Confidential Computing) is still an emerging concern. But while a common practice today, encrypting data in transit only gained wide adoption with the Let’s Encrypt movement, which was fundamental in changing the general mindset from “encryption is only important for e-commerce and banking applications” to “let’s encrypt everything by default, no matter what’s the application”. Confidential Computing is just starting to emerge, and most use cases are restricted to sectors like healthcare and banking, which require greater assurances that their sensitive code and data are protected. We will look back at the Let's Encrypt project, which started 10 years, to understand why this movement was so successful and how we can replicate this success for encrypting data in use. Our hope is to make encrypting data in use the default way for deploying applications, which will fundamentally change the security approach that exists today.
World Wide Web ConsortiumBitField (computer science)Right angleOpen sourceMereologyNeuroinformatikData managementProjective planeComputer animation
Quantum stateCoprocessorEncryptionComputer networkData integrityCodeAuthorizationInformation securityIntegrated development environmentComputer hardwareTelecommunicationService (economics)Hard disk driveData integritySemiconductor memoryBefehlsprozessorControl flowRootMereologyPhysical systemCodeNeuroinformatikGroup actionWordCASE <Informatik>Projective planePoint cloudRegulator geneInformation securityServer (computing)INTEGRALQuantum stateSoftware developerLaptopType theoryCartesian coordinate systemWeb browserEncryptionSensitivity analysisService (economics)TelecommunicationExploit (computer security)Computer animation
TelecommunicationService (economics)CollaborationismComputer hardwarePoint cloudSoftware developerSoftwareCanonical ensembleSelf-organizationWebsitePublic key certificateEncryptionTransport Layer SecurityInformation securityInternetworkingGoogle ChromeFacebookImplementationClient (computing)Data managementIntegrated development environmentCommunications protocolServer (computing)Sensitivity analysisFreewareNeuroinformatikMereologyCloud computingGroup actionDefault (computer science)Public key certificateSoftware developerProcess (computing)Open sourceComputer hardwareOpen setCartesian coordinate systemProjective planeWeb 2.0SoftwareCommunications protocolServer (computing)Internet service providerArmVideoconferencingPoint cloudVector potentialTerm (mathematics)Information securityEncryptionRootGame theoryMultiplication signVulnerability (computing)BlogPhysical system
EncryptionSoftwareCommunications protocolClient (computing)ImplementationData managementIntegrated development environmentPublic key certificateServer (computing)EncryptionDefault (computer science)Web 2.0Projective planePublic key certificateContrast (vision)Computer animation
EncryptionPoint cloudService (economics)Computer hardwareSoftwareSource codeLattice (order)Computer hardwareContext awarenessInternet service providerBitRight angleCloud computingOpen sourceNeuroinformatikSoftwareArmTerm (mathematics)Software developerCartesian coordinate systemMereologyDefault (computer science)Projective planeComplex (psychology)Endliche ModelltheorieServer (computing)Touch typingEmailLattice (order)Multiplication signEncryption
Physical lawMereologyComputer animation
Group actionComputer animation
Program flowchart
Transcript: English(auto-generated)
first session and I wanted to give you like Explain a bit more give an overview of the fields rights for those learning So I'm Nick Vidal part of the anarx Community manager and anarx. It's part of the confidential computing consortium. It's an open source project
I'm also serving as the chair of the outreach committee from the confidential computing consortium, and it's a pleasure to be here So let's start out with Talking about the states of data protection. This is very basic. I mean
Everybody knows about protecting arrests protecting data arrests protecting data in transit But now protecting in use this is something that it's relatively new So what exactly is protecting data arrests when you have your hard drive encrypted? So your laptop you're traveling you get lost
that data is safe as long as your your hard drive is encrypted and Nobody can get in there in transit when you open up your browser and you just type HTTPS and you access some website the data that's flowing between your browser and the server
if that's using HTTPS that's encrypted and Nobody can tamper into that data That's secure. However, there's a third way that the data can also be Accessible and that's directly on the CPU
This is something that people Most mostly are not aware of developers even security Professionals and they they are not aware that When you have Some type of application or data running at the CPU in memory if for some reason that system is compromised
Somebody can get access to that data Let's suppose that there is an exploits somebody gains roots access they'll be able to see what's in the in memory and And confidential computing allows you to encrypt data while in use while in the CPU
Even if somebody breaks down, even if somebody Gains access roots access to their system They won't have access to that data because it's just like the hard drive example
It's just like the the data in transit example. So The Confidential computing protects data and the codes both Confidentiality and integrity so confidentiality means you can not actually read what
the data and Integrity you cannot mess up the temper with that data or with that codes. So for confidential computing to To have to achieve confidential computing You have to at least provides data confidentiality
Data integrity and codes integrity. How about the codes? As part of the confidential computing consortium's definition of confidential computing That's not necessary. But some projects like the Enerx projects. We provide that all those protections
So this is the definition the official definition by the confidential computing consortium Confidential computing protects data in use by performing computation in a hardware-based attested trust
Managed sensitive and regulated data. I wanted to read that
Because the CCC worked to a whole bunch of group of people work together during one year To define this definition and Another year to add one word attested. So I wanted to read very clearly to make this definition
So I wouldn't make a mistake, right? I Don't want to memorize them and forget something so What's confidential computing? What's the case study? Where can it be used? Actually, it has many uses right now We have some very some sectors that are very much regulated. They have a lot of sensitive data and
In fact, they cannot use the clouds as of today They simply can't the policies won't allow them to benefit from the clouds So we have for example banking financial services insurance. Of course, they have a lot of sensitive financial data
We also have health care there are there's the HIPAA for example in the u.s. It's a regulation regarding health care We have telecom edge IOT
Governments a whole bunch of sectors that currently do not use the clouds because they can't Because they have a lot of sensitive data because it's very much regulated by government's policies so confidential computing Will open the clouds the IOT the edge
should these sectors they have a lot of sensitive data and that's That's the huge potential of this technology If we can open up this the clouds Should these sectors you grow a lot. That's why one of the reasons why cloud service providers are
Currently this year and this past year they have they have offered confidential computing and this is going to grow immensely So I talked about the company confidential computing consortium We are part of the Linux Foundation
We so we bring together hardware vendors like Intel AMD arm and video cloud service providers like Azure Google clouds And so many others startups as well and software developers
We have a whole bunch of members here as you can see all the major players are betting on this because in some ways this is the future of the cloud in terms of security and We have currently we have seven open source projects
We invite as many open source projects if you are working with competition computing and you have a nice project We welcome you to the CCC. So I work at the an arts, but we have Grammy and we have Veracruz Veracruz own a lot of very great technology here, which is fully open source
Now let's step back and look at the let's encrypt movement, okay Not many people are aware of Confidential computing and its importance of protecting data while in use
If we go back 10-15 years ago That was the same challenge that we had regarding protecting data in transits People were like, hey, I'm not an e-commerce. I'm not like a bank or why should I use HTTPS, right? We kind of left right now, hey
HTTPS is just the default, right? It's very easy why we shouldn't have this as the default Everyone from whatever you have your own blog It doesn't have any sensitive data, but even so you're going to use HTTPS because it's easy It's convenient and it's just more secure
This same mindset is what we need and what we need to change For people to start Really thinking about data in use of protecting data in use and it will make everything so much secure it doesn't matter if your system gets hacked if
Everyone has access, roots access to it, even so it's not a game over Your data is still secure. We hear in the news all the time about all the vulnerabilities and This could have been prevented by using confidential computing. So land secrets, it was
Started in 2012 by four people, two from Mozilla One from the Electronic Frontier Foundation and from the University of Michigan It's world's largest
certificate authority, it provides free TLS encryption and The goal is to really make the web safer using HTTPS They have a lot of sponsors and partners As I mentioned, they're part of the Linux Foundation, the Linux Foundation helps them, is a partner
Also the Mozilla Foundation, EFF There's a whole group of people that see the importance of having HTTPS by default today and What makes it possible is that they have developed software that's very easy to use That makes it
just It's a very easy process to enable HTTPS so they have the ACMA protocol and They have those who have provided Open up Searchbots, you know what that is? That's the Python application that
creates a certificate, right? And on the server side they have Boulder and these technologies, this software and this protocol, they make it really easy to achieve HTTPS by default
so I'm not sure if you can see really well here. The contrast is not really good, but you can see the growth here So this is the... Yeah, so this is the start of the project I believe, I can't see actually see the years here, but
But as you can see it's growing, right? It has grown a lot Especially here. I'm not sure what happened here, but This is the how much, how many certificates they have given, right?
Yeah, and so it's very successful. Let's Encrypt is one of the most successful achievements to help secure the web And how did they accomplish this? What can the confidential computing community learn from the Let's Encrypt movements? So here are some key ideas
That I thought about, but you can also explore this and this can be an open discussion as well. So first of all Bring, make a campaign that bring this awareness around the importance of encrypting data while in use
The same way that Let's Encrypt did this for data in transits For us, HTTPS is just the default way. We can't think of any other way of doing this Why would we use HTTP only, right? Even for a blog or whatever. It just makes sense
So adoption by TEs, by cloud service providers This is happening right now So all the major cloud service providers are really making this available Generally available, and they should, they're a bit expensive right now, but they should become
More affordable in the future Of course all the hardware developers, they have made the technologies available So Intel, Arm, Arm is still going to release this But you have AMD as well. They have invested a lot
Sometimes even a decade, right, in terms of Intel as X We have to develop software that makes it really easy to deploy confidential computing So one of the projects is Anarcs We make it really easy We use WebAssembly to allow developers to deploy applications, and it's really nice if you want to check that out
We have to abstract the complexities. Complex computing is really complex. You have to know about encryption You have to learn about attestation About the different models that exist
to achieve confidential computing and The software has to abstract all those complexities if you want to gain a market share, right? It has to be CSP neutral. It has to be hardware neutral preferably the developer
Doesn't have to know if his application is going to run on AMD or Intel or whatever. It just should work He's going to deploy this application and confidential computing will just Everything will be encrypted And he doesn't have to care about attestation or whatever. It just works. Just like Let's Encrypt
Promotes open source software. I believe open source plays a very important role here and the confidential computing consortium Has this as part of its mission to promote open source software. That's why we adopted Setting open source projects here. We have to make it affordable and
Right now it's very niche But we have to see that maybe in five years This is just going to be the default way, right? And maybe eventually it might even be free So we want to commoditize confidential computing at some point, right? To make this a reality by default
And so with that I would like to thank you for hearing me You can get in touch with us at the confidential computing consortium Using this email and I invite you to join our tech meetings It happens every every other week and also our outreach
meetings If you if you want to really learn or share your ideas your technical ideas I recommend joining the tech committee and Outreach if you want to expand this idea and and promote it. So thank you very much and that's it
Do we have some time for questions?
I have the feeling that the infrastructure was already there. It was just a problem of it was too complicated And with confidential computing as a developer, I don't really even know where to start like the infrastructure is coming
The CSP is there really adopting competition computing We have heard some announcements especially last year of making this technology generally available But really the the prices need to drop in even you must make it really easy for people to adapt
It's a most confidential computing it's mostly targeted for the server side or the edge or IOT There are some the Intel SGX for the PC or for the laptop
In fact, they were kind of degraded Intel is not supporting this anymore Yeah, you're right
Decided on Yeah, so attestation was not part of the first definition The reason why is because attestation is really complex and maybe it wasn't given as much importance as before but once
attestation became a really big discussion after And in fact, they created a special interest group around attestation and that's when they decided to