jshelby

Author:  Sal Kimmich

The Digital Operational Resilience Act (DORA), a landmark regulation from the European Union, is reshaping the landscape of information and communication technology (ICT) security for financial entities. Designed to strengthen operational resilience, DORA mandates comprehensive measures to protect ICT systems against disruptions and cyber threats, ensuring the continuity of critical financial services.

What Is DORA?

DORA establishes a unified framework for ICT risk management, oversight, and reporting for financial entities operating in the EU. The act applies to banks, insurance companies, investment firms, and other financial organizations, aiming to safeguard the stability of financial systems amid increasing cyber threats.

DORA will come into effect on January 17, 2025, requiring financial entities to meet stringent ICT security and operational resilience standards. The regulation introduces detailed requirements for ICT risk management, third-party ICT service provider oversight, and robust incident reporting mechanisms.

Why Chapter II, Section II, Article 8, Paragraph 2 Matters

One of the most critical aspects of DORA is outlined in Chapter II, Section II, Article 8, Paragraph 2, which states:

Financial entities shall design, procure and implement ICT security strategies, policies, procedures, protocols and tools that aim at, in particular, ensuring the resilience, continuity and availability of ICT systems, and maintaining high standards of security, confidentiality and integrity of data, whether at rest, in use or in transit.

This provision emphasizes a holistic approach to ICT security—ensuring that data remains secure across its entire lifecycle: while being stored, processed, or transmitted. It aligns operational resilience with data confidentiality and integrity, which are foundational for maintaining trust and mitigating systemic risks.

However, the requirement to protect data in use poses a unique challenge. Traditional security measures like encryption effectively safeguard data at rest (storage) and in transit (network transmission), but they falter when data is actively being processed. This is where Confidential Computing steps in as a game-changing solution.

Confidential Computing: The Clear Candidate

Confidential computing enables the protection of data in use by leveraging hardware-based secure enclaves. These enclaves create an isolated environment where sensitive computations can occur, shielding them from unauthorized access—even from the host operating system or cloud provider. By ensuring the confidentiality and integrity of data in use, confidential computing directly addresses one of the most pressing gaps in traditional ICT security strategies.

Key features of confidential computing that align with DORA’s requirements include:

1. Enhanced Data Security: Protects sensitive computations from being exposed, even in shared cloud environments.
2. Resilience and Integrity: Ensures that data remains secure and untampered during active processing.
3. Regulatory Compliance: Provides a robust mechanism to meet DORA’s requirements for high security standards across the data lifecycle.

A Call to Action for Financial Entities

As the 2025 deadline approaches, financial entities must act to design and implement ICT security strategies that align with DORA’s requirements. Confidential computing, with its ability to secure data in use, is a pivotal technology for achieving compliance with Article 8, Paragraph 2.

By integrating confidential computing into their ICT security frameworks, financial institutions can not only meet regulatory mandates but also enhance their overall resilience against evolving cyber threats. Early adoption will provide a competitive edge, enabling organizations to build trust with customers, regulators, and partners in an increasingly digital and interconnected financial ecosystem.

Conclusion

DORA’s focus on ensuring ICT systems’ resilience, continuity, and security presents both a challenge and an opportunity for financial entities. By embracing confidential computing, organizations can address the critical requirements of Chapter II, Section II, Article 8, Paragraph 2, securing their data at every stage of its lifecycle. As the clock ticks toward 2025, the time to act is now.

Resources to Learn More 

DORA Regulation: Article 8

IBM: Navigating the digital wave: Understanding DORA and the role of confidential computing

Edgeless Systems: How to encrypt data in use for DORA compliance

Anjuna: Financial Services Confidential Computing Key Use Cases

Redhat: Confidential Containers for Financial Services on Public Cloud

At ACSAC 2024 (Annual Computer Security Applications Conference), the esteemed Cybersecurity Artifact Award was presented to the “Rapid Deployment of Confidential Cloud Applications with Gramine” project for its innovative approach to enhancing cloud security. The project stood out for enabling the secure deployment of confidential applications in cloud environments while ensuring the protection of sensitive data.

Introducing Gramine: A Breakthrough in Confidential Cloud Computing

The winning artifact showcases Gramine, a lightweight framework designed to facilitate the rapid deployment of confidential cloud applications. By leveraging Trusted Execution Environments (TEEs), specifically Intel SGX, Gramine provides hardware-enforced isolation of data during computation. This ensures that both data and computations remain protected from adversarial threats in the cloud.

Gramine (formerly known as Graphene) is an open-source library that allows developers to build and run applications in secure enclaves, such as Intel’s SGX, without needing to modify the application’s source code. It bridges the gap between traditional cloud computing and confidential computing, making it easier for organizations to protect sensitive workloads in multi-tenant cloud environments while maintaining the flexibility and performance of cloud-native applications.

Key Features of the Winning Artifact

• Confidential Computing: Gramine ensures that sensitive data is encrypted and protected even while in use, guarding it from external threats and insider attacks.
• Easy Deployment: The project simplifies the complex process of setting up and configuring secure enclaves for cloud applications, making confidential computing more accessible.
• Scalability and Flexibility: With support for deploying multiple applications in parallel, Gramine helps large organizations secure diverse cloud workloads efficiently.
• Compatibility with Existing Applications: A major advantage of Gramine is its ability to run unmodified applications in secure enclaves, enabling seamless integration of confidential computing into existing infrastructures.

Why It Won the ACSAC Cybersecurity Artifact Award

The “Rapid Deployment of Confidential Cloud Applications with Gramine” project won first place for its innovative solution to one of the most critical challenges in cloud security: ensuring the confidentiality and integrity of sensitive data in potentially untrusted cloud environments.

As more organizations move to the cloud, the need for tools that protect confidentiality and privacy becomes increasingly urgent. Gramine provides a practical solution by enabling confidential workloads to be deployed at scale while remaining flexible enough to integrate with existing cloud-native applications. This lowers the barriers to secure cloud deployment, making confidential computing accessible to a broader range of organizations.

The Impact on Cloud Security

The success of this project highlights the growing importance of confidential computing in the battle against cloud-based cyber threats. As cloud adoption continues to rise, tools like Gramine pave the way for organizations to secure their cloud applications, safeguard sensitive data, and meet privacy regulations.

The ACSAC Cybersecurity Artifact Award positions this project as a catalyst for further innovation in cloud security and confidential computing. It offers both a technical solution and a blueprint for securely deploying sensitive workloads in a rapidly evolving cloud landscape.

For more information on the winning artifact, visit the ACSAC 2024 program page:

• ACSAC 2024 Artifacts Competition
• ACSAC 2024 Program

Mike Bursell (Executive Director, Confidential Computing Consortium):

Open Source as the Foundation of Trust:

Mike emphasizes that “Magic pixie dust to all of these is open source because you need to know that the software which is guaranteed seeing all of this stuff has been correctly written and there are no people trying to exfiltrate your data or do evil stuff with these keys as you go along…….. without that you just don’t get the scale taking off, that’s really important.“

Simplifying Complex Technologies:

Mike also highlights the importance of abstracting complex technologies like TEEs to make them accessible to users without deep technical expertise. “That’s exactly what companies like Super Protocol are doing and the sort of thing that we are encouraging in the Confidential Computing Consortium as well. So, reducing the friction, bringing it to users who don’t need to know the really low-level detail- it does get very, very techy very, very quickly…“

Nukri Basharuli (Founder and CEO, Super Protocol):

Effective Collaboration Among Companies:

Nukri Basharuli points out “the last McKinsey report says 90% of large and medium companies want to collaborate based on their data. But at the same time, there are two opposite vectors: on one side, you need to collaborate on data with your partners, even with your direct competitors – to observe the market, to find insights, and to grow. But at the same time, you need to prevent these leakages and risks of cannibalization of each other. That’s why verifiable and confidential computing gives us opportunities to make this collaboration effective and provable.”

Accessibility of TEEs:

Nuri discusses Super Protocol’s development of a “ready-made AI & Data Marketplace within a confidential cloud based on TEE. “In just a few clicks, you will be able to launch your model, upload your model from our Marketplace or from Hugging Face, in a fully private decentralized environment. Just a few clicks – deploy a smart contract and… this is why we are building Super: to make this road as easy as possible for millions of projects developing billions of personal AI agents based on personal data for businesses, private needs, and so on…….And you can make this connection verifiable for all participants – that’s why this is a big difference and next is that everything behind smart contracts in Super is governed only by smart contracts – all services, all computation services, 100% of services are governed only by smart contracts. This is another difference from a centralized cloud which is governed by an administrator or owner of the service.”

David Attermann (Head of Web3 Investments, M31 Capital):

Growth of the Confidential Computing Market:

David Attermann predicts: “The confidential computing market is expected to grow 50% annually for the next 10 years. The demand for it is real, and it’s becoming a major industry now. Within Web3, TEEs have gained momentum as the most practical way to verify compute. For the next five years, TEEs will likely serve as the foundation for all verifiable compute in Web3.

Unique Capabilities of Super Protocol: 

David also notes that “even without an interest in cryptocurrencies, one can appreciate the unique functionalities offered by Super Protocol.“

Listen to to the full podcast: https://www.youtube.com/watch?v=gFql1SUNM-o

For a deeper dive into Super Protocol’s architecture check out NVIDIA’s article

 https://developer.nvidia.com/blog/exploring-the-case-of-super-protocol-with-self-sovereign-ai-and-nvidia-confidential-computing/

What if you could collaborate on AI projects, run complex models, fine-tune them, and even monetize both your models and data – all while retaining full control and ensuring confidentiality? It might sound impossible, especially when involving multiple participants you don’t need to trust – or even know.

In his article, “Web3 plus Confidential Computing,” Mike Bursell, Executive Director of the Confidential Computing Consortium,  delves into this challenge: “It turns out that allowing the creation of trust relationships between mutually un-trusting parties is extremely complex, but one way that this can be done is what we will now address.“

Mike explores the synergy of Confidential Computing, blockchain, and smart contracts, showcasing Super Protocol as a real-world implementation of this vision. He explains: “Central to Super Protocol’s approach are two aspects: that it is open source, and that remote attestation is required to allow the client to have sufficient assurance of the system’s security. Smart contracts – themselves open source – enable resources from various actors to be combined into an offer placed on the blockchain, ready for execution by anyone with access and sufficient resources. What makes this approach Web3 is that none of these actors needs to be connected contractually.”

This approach enables “the network effect… building huge numbers of interconnected Web3 agents and applications, operating with the benefits of integrity and confidentiality offered by Confidential Computing, and backed up by remote attestation.“ Unlike Web2 ecosystems, often criticized for “their fragility and lack of flexibility (not to mention the problems of securing them in the first place),” here is an opportunity to create “complex, flexible, and robust ecosystems where decentralized agents and applications can collaborate, with privacy controls designed in and clearly defined security assurances and policies.“

As Mike aptly puts it: “Technologies, when combined, sometimes yield fascinating – and commercially exciting – results.“

Explore the full article to dive into the basics, the synergy of these technologies, and the technical details of how Super Protocol is turning this vision into reality.

Read the Full Article

Author: Sal Kimmich

Introduction:

As enterprises increasingly adopt multi-cloud architectures, managing data governance across distributed systems has become more complex. With data privacy regulations like GDPR and CCPA requiring organizations to maintain strict control over sensitive information, ensuring compliance while leveraging the flexibility of multi-cloud systems presents a significant challenge.

Enter Confidential Computing: by using trusted execution environments (TEEs) and remote attestation across cloud platforms, organizations can ensure that sensitive data is processed in a secure and compliant manner. This blog will explore how decentralized data governance can be achieved in multi-cloud environments using confidential computing technologies.

Why Is Confidential Computing Essential for Multi-Cloud Data Security?

In a multi-cloud setup, organizations often distribute workloads across multiple cloud providers to meet their operational needs. However, this also increases the potential attack surface, as data flows through various infrastructures. Ensuring that data remains secure and compliant with regulations across these disparate environments is critical.

Confidential computing provides a solution by ensuring that sensitive data is processed in secure enclaves within TEEs, which isolate the data from unauthorized access. Using remote attestation, these TEEs can be verified, ensuring that the code executing within the enclave is trustworthy.

This ability to isolate and verify processing environments makes confidential computing essential for ensuring data security and governance across multi-cloud deployments.

What Is Decentralized Data Governance and Why Does It Matter in the Cloud?

Decentralized data governance refers to the practice of managing data policies, access controls, and compliance requirements across multiple locations or platforms without relying on a single centralized authority. In a multi-cloud environment, this is particularly challenging, as each cloud provider may have different security standards, policies, and regulatory requirements.

By decentralizing data governance, organizations can ensure that each cloud provider adheres to specific security and compliance rules. Confidential computing enables this by allowing organizations to enforce strict access controls and data policies at the TEE level, ensuring that data governance is maintained consistently, regardless of where the data is processed.

This approach to governance is crucial for businesses that need to operate in multiple jurisdictions or across cloud infrastructures, ensuring that they meet all relevant regulatory requirements.

How Open Enclave SDK Powers Secure Data Governance in Multi-Cloud Environments

One of the key tools that enables secure data governance in a multi-cloud environment is the Open Enclave SDK. Developed under the Confidential Computing Consortium, the Open Enclave SDK provides a consistent abstraction for creating TEEs across different platforms, including Azure, AWS, and Google Cloud.

By using the Open Enclave SDK, developers can build applications that securely process data in TEEs across multiple cloud environments without having to rewrite code for each cloud provider. This ensures that data remains secure and compliant with governance policies, regardless of the cloud infrastructure being used.

Additionally, the Open Enclave SDK supports remote attestation, allowing organizations to verify that data is being processed in trusted environments across all cloud platforms.

How Remote Attestation Ensures Compliance Across Multi-Cloud Systems

As organizations move workloads across different cloud providers, ensuring that each platform complies with relevant data privacy laws is a key concern. Remote attestation provides a mechanism to verify the security and integrity of TEEs, ensuring that sensitive data is processed only within approved environments.

In the context of GDPR, for example, remote attestation can help ensure that personal data is processed only within TEEs that meet the necessary security and privacy requirements. This ability to verify compliance on the fly allows businesses to confidently use multi-cloud infrastructures while maintaining adherence to data protection regulations.

Remote attestation helps organizations remain agile in the cloud while still upholding strict data sovereignty requirements, ensuring compliance with the CCPA, GDPR, and other global regulations.

Case Study: Confidential Computing in Real-World Data Sovereignty Challenges

A real-world example of decentralized data governance using confidential computing is the case of Italy’s Sovereign Private Cloud initiative. Italy’s government aimed to ensure that critical public sector workloads were processed within secure and private environments, adhering to the country’s strict data sovereignty laws.

By adopting confidential computing and remote attestation, Italy’s sovereign cloud enabled secure processing of sensitive public data across distributed environments. This approach ensured that even when data was processed outside of government infrastructure, it was handled securely in trusted execution environments, and compliance with Italian data protection laws was maintained.

To dive deeper into this solution, you can watch the session titled Sovereign Private Cloud: A Confidential Computing Solution for the Italian Public Administration from the Confidential Computing Summit 2024, where the implementation of the Sovereign Cloud is discussed in detail. The recording is available here.

This use case highlights how confidential computing can help address data sovereignty concerns, enabling organizations to operate securely across multiple cloud infrastructures without compromising compliance.

Achieving Decentralized Data Governance with Confidential Computing

As organizations continue to embrace multi-cloud strategies, managing data governance across distributed environments becomes more complex. Confidential computing offers a powerful solution by securing data in trusted execution environments and enabling remote attestation to verify compliance.

By leveraging tools like the Open Enclave SDK, businesses can maintain control over their data policies and ensure that sensitive information is processed in secure, compliant environments across all cloud platforms. As data sovereignty concerns grow, particularly in industries like healthcare and finance, confidential computing will play an increasingly important role in ensuring data governance and regulatory compliance across the multi-cloud landscape.

Hyperlinks Summary:

• Multi-Cloud Architectures: What Is Multi-Cloud?
• Confidential Computing: Confidential Computing Overview
• Trusted Execution Environments (TEEs): What Are TEEs?
• Remote Attestation: Remote Attestation Explained
• Open Enclave SDK: Open Enclave SDK GitHub
• Azure Confidential Computing: Azure Confidential Computing
• Google Cloud Confidential VMs: Google Cloud Confidential Computing
• GDPR: General Data Protection Regulation
• CCPA: California Consumer Privacy Act
• Sovereign Private Cloud Talk: Watch the Full Session on Sovereign Private Cloud

Author:  Sal Kimmich

Introduction

Imagine you’re working for a large healthcare provider. You have patient data that needs to be processed in the cloud, but you also want to make sure that this data isn’t accessed or tampered with by anyone, including the cloud provider itself. How can you trust that the cloud server is secure before sending sensitive information to it? That’s where remote attestation comes in. It’s like a virtual “security checkpoint” that ensures the environment where your data will be processed is trustworthy.

Now imagine you’re managing thousands of IoT devices in a smart city, such as street lights or traffic sensors, which are constantly sending data back to central systems. You need to know that these devices haven’t been compromised by hackers. Remote attestation (specifically, RATestation)  helps verify that these devices are secure and haven’t been tampered with, ensuring reliable and secure communication.

Remote attestation is a core component of Confidential Computing that helps verify the integrity of a processing environment in both cloud and IoT setups, building trust across these systems. 

As organizations increasingly adopt cloud and distributed systems, securing sensitive data has become more critical than ever. Remote attestation, a core component of Confidential Computing, verifies the integrity of a data processing environment before sensitive workloads are accessed. This technology builds trust across multi-cloud environments by ensuring workloads run securely within Trusted Execution Environments (TEEs). However, this need for security also extends to the rapidly growing Internet of Things (IoT), where secure real-time operations are crucial.

Remote Attestation in Cloud and IoT: The Key to Secure Data Processing

Remote attestation operates differently in cloud and IoT environments, but its core function remains the same: verifying that a piece of code or application is running inside a secure, trusted environment (TEE).

In cloud computing, remote attestation assures that sensitive workloads, such as financial transactions or healthcare data, are processed securely within TEEs. In IoT, where devices operate in often uncontrolled environments, remote attestation ensures that each device remains trustworthy and untampered with, allowing it to communicate securely with cloud services or other devices.

Confidential Computing for Cloud: In cloud computing, multi-cloud architectures require trust across several infrastructures. Remote attestation ensures that sensitive workloads run in verified TEEs, providing a secure way to meet strict compliance requirements such as GDPR and HIPAA.

Confidential Computing for IoT: Real-Time Security: In IoT environments, remote attestation ensures the continuous integrity of distributed devices. For example, connected medical devices or autonomous vehicles must maintain their trustworthiness during real-time operations. Remote attestation allows organizations to verify these devices dynamically, preventing compromised systems from accessing sensitive networks.

Several CCC projects actively contribute to remote attestation in cloud and IoT:

• Gramine: Primarily focused on Intel® SGX, Gramine supports secure workload execution across multi-cloud infrastructures, providing compatibility for legacy applications that require trusted execution environments.

• Veraison: This flexible framework verifies attestation evidence from TEEs across multiple architectures, validating the integrity of both cloud and IoT devices.

• Keylime: Particularly useful in IoT environments, Keylime offers remote boot attestation and real-time integrity monitoring, ensuring that IoT devices maintain a secure status during operations.

• SPDM Tools: Developed to secure TEE-I/O in both cloud and IoT, SPDM Tools verify that communications between devices remain secure within trusted execution environments.

• Open Enclave SDK: This project abstracts hardware differences and provides a unified API for building secure enclave applications, supporting both cloud-based and IoT use cases.

For more information on all of these projects, see the links below and visit our CCC Project Portfolio. 

How Remote Attestation Ensures Compliance with Global Data Privacy Laws

In industries governed by stringent data privacy laws such as GDPR (General Data Protection Regulation) in Europe and HIPAA (Health Insurance Portability and Accountability Act) in the US, compliance is a top priority. Remote attestation plays a pivotal role in ensuring that sensitive data is processed securely, in compliance with global privacy regulations.

1. GDPR Compliance: Remote attestation ensures that personal data is processed in verified, secure TEEs, preventing unauthorized access or tampering. This is particularly critical for organizations in Europe, where GDPR mandates stringent data protection and privacy standards. The ability to verify the integrity of the cloud infrastructure before processing data allows organizations to prove compliance during audits.
2. HIPAA Compliance: In the healthcare sector, remote attestation is essential for ensuring that sensitive patient data is processed securely in environments that comply with HIPAA. By confirming the integrity of the TEE, healthcare providers can securely manage electronic health records (EHRs), ensuring that patient data remains protected during transmission and processing.

Remote attestation provides organizations with the assurance that sensitive data is handled within secure environments that comply with privacy laws. As multi-cloud and IoT networks grow, ensuring compliance with these laws through verified environments will become even more critical.

Real-Time Trust in IoT: The Importance of Continuous Attestation

The challenge in IoT environments lies in ensuring that every device continuously adheres to security standards. For example, Keylime enables real-time integrity monitoring, ensuring that compromised IoT devices can be detected and isolated immediately. This is especially crucial in industries like healthcare, where real-time decision-making is directly influenced by the security status of devices.

The Future of Remote Attestation: From Cloud to Edge

Remote attestation is evolving to meet the demands of both cloud and IoT environments. As organizations adopt more complex multi-cloud infrastructures and IoT networks, the role of remote attestation will expand. Post-quantum cryptography and enhanced security measures such as multi-party attestation will improve the scalability of remote attestation in the future, making it more robust against emerging threats.

Conclusion: Building Trust with Remote Attestation

Remote attestation is a crucial tool for building trust in both cloud and IoT environments. Whether securing sensitive workloads in multi-cloud infrastructures or maintaining the integrity of millions of IoT devices, remote attestation ensures that data is processed in trusted, verified environments. CCC open-source projects such as Veraison, Gramine, Keylime, and SPDM Tools are leading the way in making remote attestation scalable and secure. As Confidential Computing continues to evolve, remote attestation will remain a cornerstone for ensuring security and trust across distributed systems.

Origin and Motivations Behind ATtestation

The RATtestation documentation emerged from the need to standardize remote attestation protocols across diverse Confidential Computing environments. The document addresses the challenge of securely verifying the integrity of systems in distributed and multi-cloud architectures. ATtestation defines best practices for trust establishment, data protection, and secure communication, ensuring the integrity of Trusted Execution Environments (TEEs). It emphasizes the role of remote attestation in enabling secure collaboration while maintaining compliance with privacy regulations such as GDPR and HIPAA.

RATtestation Documentation 

Resources Summary:

• • Trusted Execution Environments (TEEs): What are TEEs?
  • Confidential Computing: Confidential Computing Overview
  • Remote Attestation: Remote Attestation Explained
  • GDPR: General Data Protection Regulation
  • HIPAA: Health Insurance Portability and Accountability Act
  • Veraison: Veraison GitHub Project
  • SPDM Tools: SPDM GitHub Project

• Keylime: Keylime: Scalable Remote Attestation

• Gramine: Gramine: Confidential Computing for Cloud

• Post-Quantum Cryptography: NIST Post-Quantum Cryptography