The digital landscape has undergone a seismic shift in recent years, driven by two transformative technologies: cloud computing and artificial intelligence. From the widespread adoption of cloud services in the late 2010s to the rapid rise of AI, these advancements bring not only innovation but also critical cybersecurity concerns.
Is data truly secure in the cloud? Can AI-driven applications process sensitive information without compromising privacy? Do cloud providers or AI vendors have access to confidential business data?
While these concerns are not new, they can be effectively addressed through confidential computing. In this blog post, we’ll explore the fundamentals of confidential computing, the role of Trusted Execution Environments (TEEs), and how they compare to Hardware Security Modules (HSMs) in safeguarding sensitive data.
What is Confidential Computing?
Confidential Computing is a technology designed to protect data during processing. It works by isolating sensitive data within a secure CPU enclave, ensuring that only authorized code can access it. This encryption-in-use technique, also known as enclaving, ensures that data remains hidden from everyone, including the cloud provider.
Since confidential computing safeguards sensitive data during processing, it is especially valuable in contexts like AI. It ensures that even when processing sensitive data for generative AI models, the information remains secure and encrypted, mitigating risks associated with exposure.
Think of it like writing in a secret diary with an invisible ink that only you can reveal - the information is there, but no one else can read it.
What are Trusted Execution Environments (TEEs)?
A Trusted Execution Environment is a secure enclave within a CPU, forming the foundation of confidential computing technology. It creates an isolated environment where sensitive data can be processed securely, ensuring that decrypted information remains invisible to the operating system, hypervisor, other applications, and even the cloud provider.
TEEs are commonly used in devices like smartphones, where they store biometric data (e.g., fingerprints or facial recognition) to prevent unauthorized access by malicious apps. Well-known examples of TEE technology are Intel SGX and TDX, and AMD SEV, which enable secure data processing by keeping it protected from external threats.
What are Hardware Security Modules (HSMs)?
A Hardware Security Module is a tamper and intrusion-resistant, highly trusted physical device that performs all major cryptographic operations, including encryption, decryption, authentication, key management and key exchange. The purpose of an HSM is to conceal and protect cryptographic keys and data. They have a robust operating system and restricted network access via a firewall.
TEEs vs. HSM – Differences and Similarities
| TEE | HSM | |
| Design | Secure area within a processor | External hardware device |
| Functionality | Stores private keys | Generates, manages, and stores private keys |
| Use case | Cloud computing, AI,
Storing biometrical data or credentials
Authentication
payment transaction processes | Cryptographic applications, e.g. encryption, digital signatures; key management
Securing payment transaction processes |
| Secure against side channel attacks | No, there has been successful side channel attacks on TEEs in the past | Yes |
| Tamper-resistance | No | Yes |
Conclusion – different use cases require different levels of security
Confidential computing is a powerful solution for securely processing sensitive data in cloud environments. However, when it comes to protecting cryptographic keys, Hardware Security Modules remain the gold standard. HSMs not only provide the most secure storage for cryptographic keys but also handle key generation and management, ensuring high-quality keys and proper key lifecycle management.
That said, HSMs may not be practical for every use case due to cost or implementation constraints. In such cases, Trusted Execution Environments and confidential computing offer a strong alternative. Still, for highly sensitive key material, an HSM is essential to prevent key exposure and ensure maximum security.
