A number of big-name tech companies — including Microsoft, Google, Alibaba, Red Hat, IBM, and Intel — are joining forces in a new effort to boost cloud security by protecting data when it’s especially vulnerable.
The Confidential Computing Consortium, announced this morning by the Linux Foundation, will work to establish standards, frameworks and tools to encrypt data when it’s in use by applications, devices and online services. Current techniques focus on data at rest, and in transit. The group describes encrypting data in use as “the third and possibly most challenging step to providing a fully encrypted lifecycle for sensitive data.”
The issue “affects the privacy and security of almost every single person on Earth who interacts with these systems every single day,” said Jim Zemlin, executive director of the Linux Foundation, in an interview, explaining why competing companies are joining in the effort. “The urgency here is not lost on anyone.”
Microsoft is contributing its Open Enclave Software Development Kit (SDK) open-source project to the consortium, Intel is contributing its Software Guard Extensions SDK, and Red Hat is contributing its Enarx project. The contribution of these open-source projects to the consortium makes it more feasible for other companies to participate in the projects with greater confidence that they are being overseen by a neutral group.
If the consortium achieves its goals, “we’ll see people being able to deploy applications much more securely and easily, making use of these new developments,” said Mike Bursell, chief information security architect at Red Hat, a co-creator of the Enarx project, in an interview.
“Protecting data in use means data is not visible in unencrypted form during computation except to the code authorized to access it,” said Microsoft Azure CTO Mark Russinovich in a post Wednesday morning. “That can mean that it’s not even accessible to public cloud service providers or edge device vendors. This capability enables new solutions where data is private all the way from the edge to the public cloud.”
The initial group also includes ARM, Baidu, Tencent and Swisscom.
The involvement of three Chinese companies (Baidu, Tencent and Alibaba) in a security-related consortium could raise eyebrows given geopolitical concerns about cybersecurity. Zemlin said the work of the consortium will be done in the open and made freely available. “The challenges of cybersecurity are global,” he said.
Asked why other big tech and cloud companies such as Apple and Amazon aren’t involved, Zemlin said the initial group is just a start.