Confidential Computing
Definition
Technology that encrypts data while it's being processed, protecting it from access even by cloud providers and system administrators.
Use Cases
- Google: Protecting sensitive workloads in the cloud by encrypting data while it is being processed (data-in-use protection). — Google Cloud offers Confidential VMs that use hardware-based TEEs to help keep VM memory encrypted during processing, reducing exposure to privileged access on the host. (Improved security posture for sensitive workloads by reducing the risk of data exposure from infrastructure-level access; helps meet stricter security and compliance expectations for regulated data.)
- Microsoft: Running regulated or highly sensitive workloads with additional protections against access to data in memory. — Azure Confidential Computing provides Confidential VMs and related services that use TEEs to isolate workloads and protect data in use, with attestation to verify the trusted environment before releasing secrets. (Enables customers to process sensitive data in the cloud with stronger isolation guarantees and verifiable trust, supporting scenarios where data owners require protection from cloud operator access.)
- Amazon Web Services (AWS): Isolating highly sensitive application components (e.g., cryptographic operations, tokenization, or sensitive data processing) from the rest of the instance and from administrative access. — AWS Nitro Enclaves creates an isolated compute environment (an enclave) from an EC2 instance, with no persistent storage, no interactive access, and a controlled communication channel to the parent instance; customers can use attestation to validate enclave identity before sending secrets. (Reduces the attack surface and limits access paths to sensitive code and data, helping organizations meet internal security requirements for handling secrets and regulated data.)
Provider Equivalents
- AWS: AWS Nitro Enclaves
- Azure: Azure Confidential Computing (e.g., Azure Confidential VMs, Azure Confidential Containers)
- GCP: Confidential VM
- OCI: OCI Confidential Computing (Confidential VMs)
Frequently Asked Questions
- What's the difference between Confidential Computing and encryption at rest/in transit?
- Encryption at rest protects data stored on disk, and encryption in transit protects data moving over networks. Confidential computing protects data while it is being processed (in memory/CPU) by running code inside a hardware-protected environment (a TEE). This helps prevent access to raw data even from highly privileged system software on the host.
- When should I use Confidential Computing?
- Use it when you need stronger guarantees that sensitive data cannot be accessed during processing—for example, regulated healthcare/financial analytics, processing encryption keys or tokens, multi-party data collaboration where parties don’t fully trust each other, or when you want to reduce risk from privileged access on the underlying infrastructure. If your workload is not highly sensitive or you can meet requirements with standard encryption and access controls, confidential computing may be unnecessary.
- How much does Confidential Computing cost?
- Costs depend on the provider and the specific offering (confidential VM shapes/instance types, enclave size, and region). Common cost factors include: higher-priced confidential-enabled instance types, potential performance overhead, and any supporting services (key management, attestation, logging, networking). The most accurate approach is to compare the hourly price of confidential-capable instances to standard instances and account for any throughput/latency impact in your sizing.
Category: emerging
Difficulty: advanced
Related Terms
See Also