Confidential Computing and financial services cloud

Data security in the cloud – a business imperative

Cloud computing has been transforming financial IT infrastructure into a utility allowing financial institutions (FIs) to access computing resources on-demand letting FIs offload costs and effort of setting-up and managing their own on-premises infrastructure, improving agility and time to business value. As more and more financial institutions rely on hybrid cloud services, data security in the cloud is a business imperative.

Moving financial workloads from an on-premise setup to a public cloud infrastructure introduces a new attack surface with different risks. As the public cloud environment shares its hardware infrastructure, a flaw in the clouds’ isolation mechanisms can be detrimental to the protection of sensitive customer and financial data. The major public cloud environments tackle this by building their security following a defense-in-depth approach. Confidential Computing is an additional layer of security in this environment to keep data private even when a flaw is found in the other defense mechanisms.

Confidential Computing and financial services

Cloud providers offer financial institutions various encryption services to help protect data at rest (in storage and databases) and data in transit (moving over a network connection). But what about data security vulnerabilities for data in use (during processing or runtime)?

Confidential Computing solves this problem of isolating data and execution within a secure space. Confidential computing is an industry term defined by the Confidential Computing Consortium (CCC) – a foundation dedicated to defining and accelerating the adoption of confidential computing.

The CCC defines confidential computing as: The protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE). Using a section of the CPU as a sanctuary or enclave creates a TEE. A secure enclave is a memory and CPU-only environment that is isolated from and invisible to all other users and processes on a given host. 

Confidential computing is a privacy-enhancing technology that isolates sensitive data in a protected CPU enclave during processing and eliminates the remaining data security vulnerability by encrypting data while it is being processed in the system memory.

Financial institutions need to mitigate threats that target the confidentiality and integrity of either the application or the data in system memory. Confidential computing helps financial institutions to build a resilient and secure enterprise by ensuring data integrity and confidentiality, and code integrity. 

Within financial services, there are multiple business processes such as anti-money laundering, fraud-detection among many others that require financial institutions to share data with external parties. Confidential computing allows organisations to process data from multiple sources without exposing the input data to other parties.

Multiple financial institutions can share data with each other without exposing personal data of their customers. Organisations can run agreed-upon analytics on the combined sensitive data set. The analytics on the aggregated data set can detect the movement of money by one user between multiple banks, without the banks accessing each other’s data.

Through confidential computing, these financial institutions can increase fraud detection rates, address money laundering scenarios, reduce false positives, and continue learning from larger data sets. Confidential computing provides greater assurance to financial services industry leaders that their data in the cloud is protected and confidential, and encourages them to leverage cloud services even for use cases that rely on sensitive data and computing workloads.

Ubuntu and Azure Confidential Computing

While there are multiple solutions involving secure enclaves today, they often require specialised software to take advantage of them. On the other hand, the Microsoft Azure confidential VMs only require changes to the operating system and as such existing financial workloads can run without any change on a familiar environment like Ubuntu. That makes it one of the most promising technologies in Confidential Computing.

To realise this, Canonical Ubuntu provides you guest images that are optimised for confidential computing. It also secures your VM at rest and at boot time. Ubuntu 20.04 LTS is deeply integrated into public clouds and optimised for performance, security and ease of use. Ubuntu is the only Linux distribution supporting Azure Confidential VMs.

Azure’s confidential VMs deliver confidentiality between different cloud customers and also between customers and Azure operators. Hardware-level encrypted guest isolation, combined with measured boot and TPM-backed full-disk encryption in Ubuntu and Azure Managed HSM, customer code and data are encrypted in use, in transit, and at rest using encryption keys that are protected and can be controlled by the customer. Canonical has been an important partner in this effort, working closely with us to bring confidential computing innovations to our customers.

– Vikas Bhatia, Head of Product for Azure Confidential Computing

To try Ubuntu with Confidential Computing on Azure today, see this quick start guide from Microsoft. For production workloads, Canonical is making Ubuntu Pro images tailored for Confidential Computing available.