Difference between revisions of "Confidential Computing"
(→References) |
(→References) |
||
| Line 39: | Line 39: | ||
*Regulatory alignment**: Supports compliance with HIPAA, GDPR, and other data protection laws. | *Regulatory alignment**: Supports compliance with HIPAA, GDPR, and other data protection laws. | ||
| + | ===Google=== | ||
| + | there is a difference: Confidential Computing is a specific technology focused on protecting data in use via hardware-based isolation, while Google’s Protected Computing is a broader privacy framework that includes Confidential Computing as one of several techniques. | ||
| + | |||
| + | ====Confidential Computing (General Concept)==== | ||
| + | Definition: A security model that protects data while it is being processed (i.e., in use), not just at rest or in transit. | ||
| + | |||
| + | How it works: Uses Trusted Execution Environments (TEEs)—secure, hardware-isolated environments (e.g., Intel SGX, AMD SEV). | ||
| + | |||
| + | Goal: Prevent unauthorized access to data even from privileged system software (like hypervisors or cloud providers). | ||
| + | |||
| + | Examples: | ||
| + | |||
| + | Confidential VMs: Encrypt memory and isolate workloads. | ||
| + | |||
| + | Confidential GKE Nodes: Extend memory encryption to Kubernetes clusters. | ||
| + | |||
| + | Confidential Space: Enables secure multi-party computation. | ||
| + | |||
| + | Sources: Google Cloud Confidential Computing | ||
| + | |||
| + | ====Google’s Protected Computing (Broader Framework)==== | ||
| + | Definition: Google’s umbrella approach to privacy that includes minimizing data collection, de-identifying data, and restricting access—even from Google itself. | ||
| + | |||
| + | Components: | ||
| + | |||
| + | Confidential Computing (as above) | ||
| + | |||
| + | Federated Learning: Training models on-device without centralizing data. | ||
| + | |||
| + | Differential Privacy: Adding statistical noise to protect individual data points. | ||
| + | |||
| + | Homomorphic Encryption: Performing computations on encrypted data. | ||
| + | |||
| + | Private Compute Core: On-device AI processing (e.g., Smart Reply, Live Translate) isolated from apps and OS. | ||
| + | |||
| + | End-to-End Encryption: For services like Android Backup and Google VPN. | ||
| + | |||
| + | Sources: Google’s Protected Computing overview | ||
| + | |||
| + | Summary of Differences | ||
| + | {| | ||
| + | |- | ||
| + | |Feature||Confidential Computing ||Protected Computing | ||
| + | |- | ||
| + | |Scope Narrow (data-in-use protection) Broad (end-to-end privacy framework) | ||
| + | |- | ||
| + | |Tech Focus Hardware-based TEEs Combines multiple PETs (e.g., TEEs, differential privacy, federated learning) | ||
| + | |- | ||
| + | |Use Case Secure processing in cloud or edge Holistic privacy across devices, cloud, and services | ||
| + | |- | ||
| + | |Provider Industry-wide concept (Google, Microsoft, AWS, etc.) Google-specific implementation and philosophy | ||
| + | |} | ||
==References== | ==References== | ||
<references /> | <references /> | ||
Revision as of 15:34, 2 November 2025
Contents
Full Title or Meme
The Confidential Computing Consortium is a community focused on projects securing data in use and accelerating the adoption of confidential computing through open collaboration.
Context
Confidential Computing is but one way to create Layered Security.
Solutions
- Microsoft announces Azure Confidential Computing by Vikas Bhatia
- 2024-07-01 Process Isolation described in Privacy in EUDI by Denis Roio
Postres
Transforming PostgreSQL into a Confidential Database with Confidential Computing[1]
Turning PostgreSQL into a confidential database means ensuring that **data remains protected even while it's being processed**—not just at rest or in transit. This is where **Confidential Computing** comes in, using **Trusted Execution Environments (TEEs)** to isolate and encrypt data during runtime.
Key Approaches
- **Azure Confidential Computing (ACC) for PostgreSQL**
- Uses **hardware-based TEEs** (e.g., AMD SEV-SNP or Intel TDX) to isolate memory during query execution. - Data is encrypted at rest, in transit, and **in use**, shielding it from OS, hypervisor, and cloud admins. - Available via **confidential VM SKUs** in Azure Database for PostgreSQL.
- . **Fortanix Confidential Computing Manager (CCM) on AWS Nitro**
- Deploys PostgreSQL inside **Nitro Enclaves**, which isolate workloads from the host OS. - Fortanix CCM manages enclave lifecycle, attestation, and secure image deployment. - Enables secure query execution and encrypted data handling in AWS environments.
Implementation Highlights
| Platform | TEE Technology | Deployment Method | Notes |
| **Azure** | AMD SEV-SNP / Intel TDX | Confidential VMs via portal, CLI, Terraform | Limited to certain regions (e.g., UAE North) |
| **AWS** | Nitro Enclaves | Dockerized PostgreSQL inside enclave | Requires Fortanix CCM for orchestration |
Benefits
- End-to-end encryption**: Data is protected throughout its lifecycle.
- Remote attestation**: Verifies enclave integrity before processing sensitive data.
- Regulatory alignment**: Supports compliance with HIPAA, GDPR, and other data protection laws.
there is a difference: Confidential Computing is a specific technology focused on protecting data in use via hardware-based isolation, while Google’s Protected Computing is a broader privacy framework that includes Confidential Computing as one of several techniques.
Confidential Computing (General Concept)
Definition: A security model that protects data while it is being processed (i.e., in use), not just at rest or in transit.
How it works: Uses Trusted Execution Environments (TEEs)—secure, hardware-isolated environments (e.g., Intel SGX, AMD SEV).
Goal: Prevent unauthorized access to data even from privileged system software (like hypervisors or cloud providers).
Examples:
Confidential VMs: Encrypt memory and isolate workloads.
Confidential GKE Nodes: Extend memory encryption to Kubernetes clusters.
Confidential Space: Enables secure multi-party computation.
Sources: Google Cloud Confidential Computing
Google’s Protected Computing (Broader Framework)
Definition: Google’s umbrella approach to privacy that includes minimizing data collection, de-identifying data, and restricting access—even from Google itself.
Components:
Confidential Computing (as above)
Federated Learning: Training models on-device without centralizing data.
Differential Privacy: Adding statistical noise to protect individual data points.
Homomorphic Encryption: Performing computations on encrypted data.
Private Compute Core: On-device AI processing (e.g., Smart Reply, Live Translate) isolated from apps and OS.
End-to-End Encryption: For services like Android Backup and Google VPN.
Sources: Google’s Protected Computing overview
Summary of Differences
| Feature | Confidential Computing | Protected Computing |
| Scope Narrow (data-in-use protection) Broad (end-to-end privacy framework) | ||
| Tech Focus Hardware-based TEEs Combines multiple PETs (e.g., TEEs, differential privacy, federated learning) | ||
| Use Case Secure processing in cloud or edge Holistic privacy across devices, cloud, and services | ||
| Provider Industry-wide concept (Google, Microsoft, AWS, etc.) Google-specific implementation and philosophy |
References
- ↑ Microsoft Azure Confidential Computing for Azure Database for PostgreSQL (Preview) https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-confidential-computing
