How IBM Is Bringing Confidential Computing to the Mainstream

By Charles King, Pund-IT®  July 22, 2020

It’s often said that “data is the new oil,” and considering the accelerating rate at which organizations are creating and using digital information to further their business efforts, it’s hard to disagree. But its fundamental value has also resulted in data and its owners coming under regular attack by bad actors ranging from kids on a lark to sophisticated cybercriminals to state-sponsored thieves and terrorists.

That requires organizations to be extra vigilant lest their substantial data investments are eroded or syphoned-off. However, vigilance is never enough when the potential attack vectors and access points to corporate information are nearly limitless. As a result, technology vendors such as IBM are actively working on new, muscular technologies to keep customers’ precious data assets secure and confidential.

This week, Rohit Badlaney, VP of IBM Z Hybrid Cloud, and Hillary Hunter, VP and CTO of IBM Cloud published a blog that discussed the company’s efforts in confidential computing – an area they call “the next frontier in security.” Let’s consider what they had to say.

Improving data confidentiality

So, what exactly is confidential computing? In short, the phrase describes services and solutions that fully protect information across the entire scope of its use in business, from the build process to management functions to data-driven services and functions. In August 2019, vendors including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat announced the formation of the Confidential Computing Consortium. With the help of the Linux Foundation, members plan to substantially improve security for data in use.

How does one secure “data in use”? Think of it as a logical next step beyond conventional solutions, like encrypting data when it is at rest (in storage environments) and in transit (being moved across networks).

In essence, the Confidential Computing Consortium aims to improve methodologies for keeping data continuously encrypted, including when it is being processed in memory for business applications and processes. Doing so keeps sensitive or valuable data from being exposed to the rest of the system (and possible intruders) while offering users greater security, transparency and control.

Several consortium founders made initial contributions to the project, including IBM’s Red Hat sharing Enarx for running Trusted Execution Environment (TEE) applications, Intel providing its Software Guard Extensions (SGX), an SDK for protecting code at the hardware layer and Microsoft offering its Open Enclave SDK for building TEE applications. Since its launch, Consortium members have continued their work on confidential computing technologies, and the group has attracted new members, including Accenture, AMD, Facebook and Nvidia.

Individual consortium members are also developing their own offerings. For example, at the recent Cloud Next conference Google announced a new cloud security program, Confidential VMs (virtual machines) that support processing of encrypted data. Google’s Confidential VMs use the AMD EPYC secure encrypted virtualization (SEV) technology.

Unfortunately, those encryption processing functions take a toll on overall system performance. Though Google and AMD say they are working to address the problem, until it is resolved customers should expect slowdowns of between 1% and 6% (depending on the workload) according to AMD benchmarks of Confidential VMs.

IBM’s focus on confidential computing

While it’s great to see vendors cooperating on the development of important new technologies, IBM was developing and delivering confidential computing solutions and services long before the group effort was announced. Badlaney and Hunter’s blog discusses those efforts, as well as recent advances in some detail. For example, the pair noted that the company announced its first confidential computing capabilities in March 2018 at its annual Think conference with the launch of Hyper Protect Services.

Those IBM Cloud Hyper Protect Services are based on secure enclave technology that integrates hardware and software and leverages what the company calls “the industry’s first and only FIPS 140-2 Level 4 certified cloud hardware security module (HSM).” The portfolio now includes three services – IBM Cloud Hyper Protect Crypto Services, Hyper Protect DBaaS and Hyper Protect Virtual Servers that provide customers complete authority over sensitive data, associated workloads and the cloud encryption keys.

Since that initial release, IBM Cloud has continued to discuss the critical importance of securing customers’ sensitive data and workloads, and has added new features to Hyper Protect Services. These include advances that meet key compliance requirements for GDPR, ISO 27K, HIPAA Ready, IRAP Protected and SOC 2 Type 1 reports. Those are critical capabilities for global enterprises and companies working in compliance-focused industries.

Currently, IBM’s production-ready confidential computing solutions are being used by customers, including Daimler. The company also brought this same technology to Apple CareKit via the IBM Hyper Protect Software Development Kit (SDK) for iOS available in the Apple CareKit open source GitHub community

Badlaney and Hunter noted recent advances that demonstrate IBM’s continuing confidential computing momentum:

  • Announced in September 2019, IBM’s z15 next generation mainframe and IBM LinuxONE III systems offer up to 16TB of secured memory that can support confidential computing workloads. Additionally, IBM’s Pervasive Encryption features (which support the processing of encrypted data in memory) have a negligible impact on overall system performance.
  • IBM and Bank of America are developing a financial services-ready public cloud, which is powered by the same confidential computing security found in IBM Z. Delivered via IBM Hyper Protect Services, the solution includes the Keep Your Own Key encryption capabilities.
  • Announced in April 2020, IBM Secure Execution for Linux enables clients to isolate large numbers of workloads with granularity and at scale, thus helping to protect them from internal and external threats across hybrid cloud infrastructures.
  • In June 2020, IBM announced new toolkits that allow MacOS and iOS developers to experiment with Fully Homomorphic Encryption (FHE) to keep data protected and processed simultaneously. Later in July, the company will announce a new FHE toolkit for Linux, bringing FHE to multiple Linux distributions for IBM Z and x86 architectures.

Final analysis

Groups like the Confidential Computing Consortium can help ensure that innovative new technologies are effectively developed and successfully adopted, delivering a broad range of benefits to companies, industries and markets. But it does not follow that the vendors involved in these groups will progress at the same pace. Oft times, some are up and running while others are still learning to walk.

That is certainly the case when it comes to IBM’s efforts in confidential computing. The continuing evolution of its flagship IBM Z mainframe systems and LinuxONE servers have enabled the company to stay well ahead of the crowd when it comes to highly secure and resilient enterprise-class computing. Unsurprisingly, many of the trusted security features that first emerged on IBM Z are now fueling the company’s pioneering efforts in confidential computing.

Those innovations have long been appreciated and enjoyed by IBM’s customers and partners. As a host of vendors bring the benefits of confidential computing into broader markets, they will be following a path blazed by pioneers, like IBM.

© 2020 Pund-IT®. All rights reserved.