Encryption is the most effective method to protect sensitive data. The encryption process uses algorithms to scramble data so that it's readable only by the person who has the key that allows it to be decrypted. The technology industry is continuing to advance encryption technology that protects data at static -- such as information that is that is stored on disk drives, say -- and data in motion -- information transferred across the network.

There's also data that's being used. How can data be encrypted when it is being stored in memory on computers? Confidential computing is an industry initiative that aims to safeguard data at all scales and on the cloud.

Building upon industry innovation

AWS Nitro Enclaves Secure computing is enabled through hardware technology which reserves an area of the CPU as an enclave that is secure. It encrypts the memory in the enclave by using an encryption key specific to the CPU and application.

This method can be employed by agencies to protect sensitive information and application codes that are stored in an enclave. The enclave is able to only be able to decrypt data. The data is secure even when it's utilized, for instance, for analytics or database queries. Even if an attacker gained root access to the system, they would not be able access the database.

The system includes an attestation feature so that an organization can prove to other parties that the data resides in an enclosed space. An organization that manages health information, for instance could be able to provide health professionals with assurance that data they provide will be secured.

The size of an enclave was restricted by the earlier versions of this technology. The latest generation of processors allow servers to have as much as 1TB of storage enclave. This allows agencies to place complete applications, databases, or transaction servers within the enclave.

Cloud data protection with confidence

This new technology could change the way that agencies approach cloud security. Traditional cloud computing users are required to be able to trust the cloud service provider. The cloud provider might make every promise to secure the data that is in storage, and the agency might take every precaution to protect the data in motion. Agencies must only hope their data is protected when it is being used.

With Azure confidential computing agencies can are assured that their data is safe. This is a game-changer, particularly for federal agencies that are heavily regulated. Now they can protect the data that is in use even if it's hosted by a cloud service. Data will be safe throughout its lifecycle, at stationary, at rest, and in use.

Government computing confidential

Cloud providers are working with top hardware manufacturers to offer secure computing services for federal agencies. Cloud services that are created using virtual machines will be available to agencies. This technology allows them to choose cloud services that protect their data. Attestation tools can confirm the security level of these VMs.

Already in preview, confidential computing VMs for federal state, and local government agencies as well as their counterparts within the U.S. cloud region are now available. This technology allows agencies to create enclave-based apps to protect the data stored in cloud that is compliant with government security standards.

Of course, federal agencies usually manage cloud services in air-gapped, classified environments that are not connected to the internet. For those situations, hardware and cloud providers have partnered to develop tools that enable confidential-computing provisioning, updates and attestation without the need for an internet connection.

The government and the industry gain

The confidential cloud software Consortium brings together industry to tackle a myriad of security issues in cloud computing. The CCC is a project part of the Linux Foundation, is an open-source community that aims to encourage the adoption of confidential computing.