How banks can unlock new business opportunities with Confidential Computing in the cloud

Whom do I have to trust?

Cloud computing can provide a wide range of benefits to organisations, including cost savings, increased scalability and flexibility, better disaster recovery and business continuity, and access to advanced technologies and services. However, the adoption of cloud computing can also present challenges, particularly for companies operating in highly regulated industries such as banking, finance, healthcare, and insurance. One of the main challenges for these organisations is ensuring compliance with regulations related to personal data protection, while also ensuring the confidentiality and integrity of this data and staying competitive when using new technologies.

Banks, for example, rely on the trust of their clients, which is crucial for attracting and retaining business. Data theft can have financially but also reputationally devastating consequences for the attacked companies and for their customers who have placed their trust in a financial institution. This requires the protection of data in all its states – in transit, at rest, and in use. To help explain this, consider a data analytics platform. When data is sent to the provider, it's in transit. Once received, it's stored in a database or hard drive and is at rest. In the final stage of data processing, the data is in use when it is loaded onto the service providers' servers for computation. Encryption for data in transit (e.g. TLS) and at rest (e.g. disk encryption) is a common practice but the protecting of data in use is a newer and less developed area of security. As this is a potential vulnerability, it limits the use of cloud technology in dealing with sensitive data.

Who can potentially gain access to the data in use?

When using cloud computing, organisations must not only trust their own systems and personnel, but also the cloud provider. As shown in Figure 1, a compromise at any level can influence all layers above. While the decision of whether to trust a cloud provider ultimately lies with each organisation, the question remains as to whether it is necessary to do so or whether there is a technology that can reduce the number of trusted parties.

Confidential Computing to the rescue

Confidential Computing (CC) is a solution that is being developed by chip manufacturers with the support of cloud providers, with the aim of solving the trust issues in cloud computing, among other things. It aims to reduce the risk of compromise by working at the lowest possible layer of the computing stack. This is important because the security of higher layers relies on the security of lower layers. By working at the lowest layer with minimal dependencies, CC reduces the number of trusted parties to a minimum, only requiring trust in the hardware and OEM of the CC solution (see Figure 2).

Confidential Computing is a technology that uses trusted execution environments (TEEs) to protect sensitive data while it is being processed. TEEs provide several security features such as data confidentiality, data integrity, and code integrity. Depending on the implementation, they can also provide code confidentiality, authenticated launch, programmability, attestability, and recoverability. This ensures that sensitive data is protected throughout its lifecycle and is not compromised. To see how CC can be implemented, see the FAQ.

Confidential Computing provides a viable solution to elevate security standards regarding external and internal unauthorised access.

Use cases: unlocking the potential of privacy and exploring how Confidential Computing empowers regulated industries

Promoting trust in digital interactions by securing consumer privacy and information

Banks manage substantial amounts of sensitive information, and data security is a key concern. As technology continues to progress, data analytics is becoming an increasingly significant factor in driving value for banks. To fully realise the potential of their data, banks need to ensure its secure usage in both public cloud infrastructures and cross-organisational hybrid setups and to put their data to work, thereby gaining valuable insights into their customers and maintaining the trust-based relationship with them.

This technology provides a solution that allows financial institutions to securely process sensitive information throughout the customer journey, from customer onboarding and to KYC (Know Your Customer) through to transaction monitoring and other connected services, without compromising client privacy. Most importantly, this has a direct measurable impact on the customer experience and ensures consumer confidence in digital interactions and protection of privacy.

Anonymous queries allow consumers to query a dataset without revealing to the database owner what information they are seeking. For example, an insurance company can check a customer's credit score by querying a secure enclave that contains the bank's dataset without the bank knowing the specific data being requested. This feature enhances the customer journey, simplifies passport and official document checks for third parties, and enables security threat analyses using data from multiple parties.

Navigating the regulated landscape and keeping unauthorised users out

In light of the growing threat of cyber-attacks, businesses need to be vigilant in protecting their customers' data. This has become even more important with the revised Federal Act on Data Protection (FADP) in Switzerland and the requirements of the General Data Protection Regulation (GDPR) in Europe, which mandate increased levels of data privacy protection. Supervisory bodies such as the FDPIC and FINMA in Switzerland are enforcing stricter compliance regulations and imposing harsher penalties for non-compliance. To stay ahead of these regulatory changes and mitigate the risks posed by cyber-attacks, businesses can benefit from utilising CC technology.

The implementation of CC not only leads to easier and faster compliance, but it also ensures the confidentiality of data, eliminating the need for trust in multiple third parties and contracts that dictate how, where, when and what data is used. As a result, personal information remains secure and protected from unauthorised access by third parties.

Fighting fraud with Confidential Computing

Finding a secure way of data-sharing with other banks and third parties will be crucial in the detection of cyber-attacks or money laundering patterns in the financial sector. By using CC, financial institutions gain the ability to work together and share their insights on money laundering and digital fraud patterns, leading to the creation of advanced algorithms for fraud detection. This in turn results in a reinforced defence against fraudulent activities and increases operational resilience.

Data pooling refers to the process of multiple parties combining their datasets for computing purposes without giving the other parties access to their data. A third party in this sense does not necessarily have to be another organisation but can also be a division or cross-organisational business unit that should not have access to certain data in the same company. Multi-Party Machine Learning is a direct outcome of data pooling. Given defined and signed software and data, the secure enclave computes everything and exports the generated model to a destination outside the enclave. This enables companies to enhance the models without owning or seeing the data.

Open banking is one of the areas that can greatly benefit from the use of CC. With the emergence of this new source of income, businesses in regulated markets such as banks and healthcare can leverage their data and share it with third parties without compromising privacy and compliance. The implementation of CC enables these companies to fully capitalise on the value of their data without the risk of disclosing sensitive information to external parties.

Adoption

Current Adoption

According to interviews with cloud providers and research on CC, some companies aim to provide CC, at least in the form of confidential VMs, as a standard within the next five years. However, it is currently an emerging technology with only 1% of the market using it. As also shown in the Gartner Hype Cycle for Compute.

The CC market is poised for significant expansion over the next five years, fuelled by the growing emphasis on cloud and security initiatives in the enterprise sector. The rate of growth will largely depend on a company's ability to modernise its infrastructure and the heightened significance of data and analytics in key operations.

Adoption Obstacles

Here at Zühlke, we have pinpointed the three main obstacle categories, classed based on the priority of their resolution.

• Misconceptions
  One of the main obstacles is current misconceptions regarding security. Marketing slogans such as “The data is secure because it is encrypted in transit and at rest” are everywhere. As a result, the question arises as to whether there is an actual need for CC. This statement can be true for most cloud workloads nowadays. For other use cases, especially in highly regulated industries, some customers might be interested in additional security mechanisms.

• Technology
  If there is a misconception that CC is not needed, it will be difficult to surpass the obstacles and find motivation to invest in this technology. Fortunately, some companies already see the potential that CC can bring, and are heavily investing in it. Nevertheless, there are still technological and pricing issues to be solved. For example, depending on the implementation, employees need to be trained, the source code needs to be adopted, and additional steps in the development workflow need to be implemented.

• Business model
  There are currently two perspectives on pricing for CC. One camp argues that since it has a negligible performance penalty and only needs to be implemented on the hardware layer, it should be provided for free as a standard in the coming years. However, the other camp believes that since the technology is still emerging and requires further research, a surcharge for its use is reasonable.

Conclusion

Banks are on the brink of a revolution. With Confidential Computing, they have the power to change the game and reduce the number of costly data breaches they experience annually. Trust between a bank and its customers is built upon the secure handling of personal information and the preservation of bank secrecy.

As security technology continues to evolve, a comprehensive protection model is being implemented to mitigate risks throughout the entire process of data transmission, storage and usage. In this respect, Confidential Computing is filling the gap.

This innovative technology is not only a shield against rising cybersecurity threats and unauthorised access, but also the key to unlocking new business opportunities and gaining an edge over competitors. The potential for this technology to become the new standard for regulated industries is substantial, providing ample reason for its widespread implementation and utilisation.

While the timeline for fully embracing Confidential Computing is yet to be determined, we suggest that companies, particularly those operating in highly regulated industries, consider exploring the potential benefits of this technology. This can be done through conducting proof-of-concept tests in areas where data is currently underutilised but has the potential for substantial return on investment. Early investigation will provide valuable insights into the hardware requirements and talent needs for implementation.

FAQ

How can Confidential Computing be implemented?

Confidential Computing can be used in two ways: Confidential Virtual Machine (CVM) and App Enclave (AE). See Figure 2.

CVM secures the entire virtual machine, making it easier to implement. However, it still has potential attack vectors, such as compromised third-party software installed on the operating system or privileged users having access to all data.

AE, on the other hand, secures only a specific part of the code and data used within it. This option brings the most benefit, but it is also the most difficult to implement since it requires a code change.

In terms of use cases, CVM is best suited to protecting intellectual property assets such as the source code of internal software when everything within the virtual machine is considered trusted. AE, on the other hand, is ideal for protecting a company's unique algorithms or data.

Both modes of CC—CVM and AE— have their own advantages and disadvantages. However, they are not mutually exclusive and can be used together to provide the most comprehensive protection.

To find out more about Confidential Computing, please do not hesitate to contact us.