Cloud Service Providers | Confidential Computing 101

Azure Confidential Computing leverages Intel SGX technology and AMD SEV technology. Azure offers several products for confidential computing, including Confidential VMs with Application Enclaves, which protect data by encrypting and isolating it in memory during CPU processing. Confidential VMs provide an easy way to deploy confidential workloads without requiring changes to existing applications or code. Confidential containers are also available, allowing containerized applications to be deployed and managed with a fully managed Kubernetes service.

Additionally, Azure offers other products that enhance confidential computing capabilities, such as SQL Azure Always Encrypted, which enables in-place encryption and confidential queries. Trusted launch improves the security of generation 2 VMs by protecting against advanced and persistent attack techniques. Azure confidential ledger provides a tamperproof data store hosted in trusted execution environments (TEEs) with cryptographically verifiable evidence. Microsoft Azure Attestation allows for the remote verification of platform trustworthiness and binary integrity. Azure Key Vault M-HSM safeguards cryptographic keys and other secrets cloud applications and services use.

GCP Confidential Computing Platform offers various features to protect the confidentiality of data in the cloud and enable secure processing. Confidential VMs encrypt data while it's being processed, Confidential GKE Nodes provide encryption in-use for GKE clusters, Confidential Space allows for collaborative analysis of sensitive data while maintaining confidentiality, Confidential Dataflow supports encrypted data processing pipelines, and Confidential Dataproc enables secure big data processing with inline memory encryption. These features utilize AMD SEV for enhanced data protection.

AWS Nitro Enclaves is a feature that allows users to create isolated compute environments within Amazon EC2 instances to securely process highly sensitive data such as personally identifiable information (PII), healthcare data, financial data, and intellectual property. Nitro Enclaves utilizes the Nitro Hypervisor technology, which provides CPU and memory isolation for EC2 instances, to further isolate the CPU and memory of the enclave from the parent instance. Nitro Enclaves is processor agnostic, and it is supported on most Intel, AMD, and AWS Graviton-based Amazon EC2 instance types built on the AWS Nitro System.

Note: As of 10 November 2022, the IBM Cloud Data Shield service is .

IBM Cloud Data Shield is a runtime protection offering that utilizes Intel SGX to encrypt data while in use for containerized workloads on IBM Cloud Kubernetes Service and Red Hat OpenShift. It extends data security with a Zero Trust Architecture and supports C, C++, Python, and Java programming languages. It can be used for various applications, cryptographic key management, enhancing blockchain privacy, multi-party computation, content protection, edge computing, and digital wallets, ensuring data sensitivity, compliance, and privacy in the cloud.

Alibaba Cloud introduced the trusted and virtualized Elastic Compute Service (ECS) instance that supports SGX 2.0 (Software Guard Extensions) and TPM (Trusted Platform Module). The instance offers larger EPC memory and a remote attestation service, enabling efficient computing with large datasets and providing enhanced data protection for financial and internet-based applications. Alibaba Cloud has been actively promoting SGX technology, including launching cryptographic computing solutions and collaborating with universities and enterprises to cultivate SGX application developers. Their efforts aim to build a robust ecosystem and improve chip-level data security in the cloud infrastructure.

OVH Cloud offers Secure Enclaves, which provide secure execution environments for sensitive workloads. OVH Cloud utilizes Intel SGX technology to protect data and computations within enclaves, ensuring confidentiality and integrity.