Difference between revisions of "Confidential Computing"
(→References) |
|||
| Line 79: | Line 79: | ||
Summary of Differences | Summary of Differences | ||
| − | {| | + | {| border="1",spacing ="2" |
| − | |||
|Feature||Confidential Computing ||Protected Computing | |Feature||Confidential Computing ||Protected Computing | ||
|- | |- | ||
| Line 90: | Line 89: | ||
|- | |- | ||
|Provider Industry-wide concept (Google, Microsoft, AWS, etc.) Google-specific implementation and philosophy | |Provider Industry-wide concept (Google, Microsoft, AWS, etc.) Google-specific implementation and philosophy | ||
| + | |- | ||
|} | |} | ||
==References== | ==References== | ||
Revision as of 15:35, 2 November 2025
Contents
Full Title or Meme
The Confidential Computing Consortium is a community focused on projects securing data in use and accelerating the adoption of confidential computing through open collaboration.
Context
Confidential Computing is but one way to create Layered Security.
Solutions
- Microsoft announces Azure Confidential Computing by Vikas Bhatia
- 2024-07-01 Process Isolation described in Privacy in EUDI by Denis Roio
Postres
Transforming PostgreSQL into a Confidential Database with Confidential Computing[1]
Turning PostgreSQL into a confidential database means ensuring that **data remains protected even while it's being processed**—not just at rest or in transit. This is where **Confidential Computing** comes in, using **Trusted Execution Environments (TEEs)** to isolate and encrypt data during runtime.
Key Approaches
- **Azure Confidential Computing (ACC) for PostgreSQL**
- Uses **hardware-based TEEs** (e.g., AMD SEV-SNP or Intel TDX) to isolate memory during query execution. - Data is encrypted at rest, in transit, and **in use**, shielding it from OS, hypervisor, and cloud admins. - Available via **confidential VM SKUs** in Azure Database for PostgreSQL.
- . **Fortanix Confidential Computing Manager (CCM) on AWS Nitro**
- Deploys PostgreSQL inside **Nitro Enclaves**, which isolate workloads from the host OS. - Fortanix CCM manages enclave lifecycle, attestation, and secure image deployment. - Enables secure query execution and encrypted data handling in AWS environments.
Implementation Highlights
| Platform | TEE Technology | Deployment Method | Notes |
| **Azure** | AMD SEV-SNP / Intel TDX | Confidential VMs via portal, CLI, Terraform | Limited to certain regions (e.g., UAE North) |
| **AWS** | Nitro Enclaves | Dockerized PostgreSQL inside enclave | Requires Fortanix CCM for orchestration |
Benefits
- End-to-end encryption**: Data is protected throughout its lifecycle.
- Remote attestation**: Verifies enclave integrity before processing sensitive data.
- Regulatory alignment**: Supports compliance with HIPAA, GDPR, and other data protection laws.
there is a difference: Confidential Computing is a specific technology focused on protecting data in use via hardware-based isolation, while Google’s Protected Computing is a broader privacy framework that includes Confidential Computing as one of several techniques.
Confidential Computing (General Concept)
Definition: A security model that protects data while it is being processed (i.e., in use), not just at rest or in transit.
How it works: Uses Trusted Execution Environments (TEEs)—secure, hardware-isolated environments (e.g., Intel SGX, AMD SEV).
Goal: Prevent unauthorized access to data even from privileged system software (like hypervisors or cloud providers).
Examples:
Confidential VMs: Encrypt memory and isolate workloads.
Confidential GKE Nodes: Extend memory encryption to Kubernetes clusters.
Confidential Space: Enables secure multi-party computation.
Sources: Google Cloud Confidential Computing
Google’s Protected Computing (Broader Framework)
Definition: Google’s umbrella approach to privacy that includes minimizing data collection, de-identifying data, and restricting access—even from Google itself.
Components:
Confidential Computing (as above)
Federated Learning: Training models on-device without centralizing data.
Differential Privacy: Adding statistical noise to protect individual data points.
Homomorphic Encryption: Performing computations on encrypted data.
Private Compute Core: On-device AI processing (e.g., Smart Reply, Live Translate) isolated from apps and OS.
End-to-End Encryption: For services like Android Backup and Google VPN.
Sources: Google’s Protected Computing overview
Summary of Differences
| Feature | Confidential Computing | Protected Computing |
| Scope Narrow (data-in-use protection) Broad (end-to-end privacy framework) | ||
| Tech Focus Hardware-based TEEs Combines multiple PETs (e.g., TEEs, differential privacy, federated learning) | ||
| Use Case Secure processing in cloud or edge Holistic privacy across devices, cloud, and services | ||
| Provider Industry-wide concept (Google, Microsoft, AWS, etc.) Google-specific implementation and philosophy |
References
- ↑ Microsoft Azure Confidential Computing for Azure Database for PostgreSQL (Preview) https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-confidential-computing
