In The News

At the Confidential Compute Consortium, we’re committed to fostering a secure and privacy first digital future. The recently published O’Reilly Media report: Azure Confidential Computing and Zero Trust echoes the growing importance of safeguarding sensitive data across industries.
The Confidential computing Consortium stands at the forefront of this movement, championing a paradigm shift towards fortified data protection. This report underlines the non-negotiable aspect of privacy and security in our digital world. The insights shared in the O’Reilly Media report reinforce the urgency and relevance of our endeavors. By championing confidential computing, we’re reshaping the narrative, driving innovation, and setting new benchmarks for data security and privacy standards.

SUSE’s latest release of SUSE Linux Enterprise 15 Service Pack 5 (SLE 15 SP5) has a focus on security, claiming it as the first distro to offer full support for confidential computing to protect data.

According to SUSE, the latest version of its enterprise platform is designed to deliver high-performance computing capabilities, with an inevitable mention of AI/ML workloads, plus it claims to have extended its live-patching capabilities.

The release also comes just weeks after the community release openSUSE Leap 15.5 was made available, with the two sharing a common core. The Reg’s resident open source guru noted that Leap 15.6 has now been confirmed as under development, which implies that a future SLE 15 SP6 should also be in the pipeline.

SUSE announced the latest version at its SUSECON event in Munich, along with a new report on cloud security issues claiming that more than 88 percent of IT teams have reported at least one cloud security incident over the the past year.

This appears to be the justification for the claim that SLE 15 SP5 is the first Linux distro to support “the entire spectrum” of confidential computing, allowing customers to run fully encrypted virtual machines on their infrastructure to protect applications and their associated data.

Confidential computing relies on hardware-based security mechanisms in the processor to provide this protection, so enterprises hoping to take advantage of this will need to ensure their servers have the necessary support, such as AMD’s Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel’s Trust Domain Extensions (TDX).

SUSE also said that its cut of SLE for running SAP applications comes with improvements in High Availability (HA) and speedier deployment thanks to enhanced automation in SP5. These include automatic discovery of servers, SAP HANA databases, SAP S/4HANA, and NetWeaver applications and clusters, plus continuous checks on HA configurations with recommended fixes.

• One small Leap for OpenSUSE as 15.5 arrives ahead of business sibling
• The quest to make Linux bulletproof
• Fancy climbing into ALP over New Year’s? Fresh preview versions of SUSE’s distro and NetBSD 10 are here
• openSUSE makes baseline CPU requirements a little friendlier than feared

On the management side, the SUSE Manager 4.3.6 tool is now claimed to support over 15 different Linux distributions, including Rocky Linux, Alma Linux and all variations of Red Hat Enterprise Linux 9, in addition to SUSE’s own platform.

SUSE said that this will be available in the AWS marketplace on a pay-as-you-go basis later this year, allowing customers to manage their infrastructure from the cloud with a scalable instance on a metered basis.

While not strictly part of SLE, SUSE said it has added security-focused updates to its Rancher platform for managing Kubernetes and containers, such as support for hardened virtual machines and improved vulnerability and compliance management. The premium version, Rancher Prime, is getting the inevitable overhaul of its built-in AI Assistant with OpenAI and other generative AI technologies, since why not?

There is also a new release of its container security tool, with NeuVector 5.2 adding updates for common vulnerabilities, exposure database search, and NIST 800-53 report mapping.

NeuVector will apparently be available on the AWS Marketplace from July, and SUSE said it will also be available on Azure and Google Cloud later this summer.

“Every enterprise must maximize their business resilience to face increasingly sophisticated and potentially devastating digital attacks,” SUSE CTO Dr. Thomas Di Giacomo said. ®

VMware has joined AMD, Samsung, and members of the RISC-V community to work on an open and cross-platform framework for the development and operation of applications using confidential computing hardware.

Revealing the effort at the Confidential Computing Summit 2023 in San Francisco, the companies say they aim to bring about an industry transition to practical confidential computing by developing the open source Certifier Framework for Confidential Computing project.

Among other goals, the project aims to standardize on a set of platform-independent developer APIs that can be used to develop or adapt application code to run in a confidential computing environment, with a Certifier Service overseeing them in operation.

VMware claims to have researched, developed and open sourced the Certifier Framework, but with AMD on board, plus Samsung (which develops its own smartphone chips), the group has the x86 and Arm worlds covered. Also on board is the Keystone project, which is developing an enclave framework to support confidential computing on RISC-V processors.

Confidential computing is designed to protect applications and their data from theft or tampering by protecting them inside a secure enclave, or trusted execution environment (TEE). This uses hardware-based security mechanisms to prevent access from everything outside the enclave, including the host operating system and any other application code.

Such security protections are likely to be increasingly important in the context of applications running in multi-cloud environments, VMware reckons.

Another scenario for confidential computing put forward by Microsoft, which believes confidential computing will become the norm – is multi-party computation and analytics. This sees several users each contribute their own private data to an enclave, where it can be analyzed securely to produce results much richer than each would have got purely from their own data set.

This is described as an emerging class of machine learning and “data economy” workloads that are based on sensitive data and models aggregated from multiple sources, which will be enabled by confidential computing.

However, VMware points out that like many useful hardware features, it will not be widely adopted until it becomes easier to develop applications in the new paradigm.

Cutting effort

The cloud and virtualization giant claims that this is the purpose of the Certifier Framework, which provides platform-independent support for specifying and enforcing trust policies to secure workloads across on-premises and third-party infrastructure, including multi-cloud environments, while the companies will work together on a set of developer APIs across the x86, Arm and RISC-V ecosystems.

According to VMware, the Certifier Framework comprises two parts: one is an application development library (the API) that allows a developer to either port an existing “well-written” application, or develop a fresh one with minimal effort.

The API is said to support multiple confidential computing platforms, so there is no need to rewrite an application that uses the Framework when moving to another platform, it is claimed, and porting an app to a confidential computing environment may only require “half a dozen or so calls to the API.

Open source project

The second part of the framework is the Certifier Service, made up of a number of server applications that evaluate policy and manage trust relationships in a security domain. The purpose of this Certifier Service is to provide a scalable means to deploy many confidential computing applications and enforce security policy.

The group says showed off the technology at the Confidential Computing Summit, including demos of “universal” client-cloud trust management across multiple hardware platforms.

Intel is notably absent from the Certifier Framework group, despite being a premier member of the Confidential Computing Consortium and sponsor of the Confidential Computing Summit itself.

However, AMD’s Raghu Nambiar, VP for Data Center Ecosystems and Solutions, said that working with industry players such as VMware is critical for boosting adoption of confidential computing.

• Microsoft Azure CTO believes confidential computing is the future of targeted advertising
• It’s 2023 and memory overwrite bugs are not just a thing, they’re still number one
• Ampere says no changes to its Arm licensing as it readies new chips
• AWS users can finally use Nitro Enclaves on Arm Graviton EC2 instances

“No matter the size or technical sophistication of an organization, or where a workload is deployed, the Certifier Framework will help more customers realize the benefits of confidential computing,” he said in a statement.

Yong Ho Hwang, Samsung Electronics VP and Head of Security and Privacy, also endorsed it, adding: “We are pleased to be a supporter of the Certifier Framework and share the common goal of accelerating the adoption of confidential computing through a developer-friendly API for confidential computing trust management.”

Readers interested in the initiative can have a look at the Certifier Framework for Confidential Computing on Github. ®

https://network-security.enterprisenetworkingmag.com/cxoinsights/confidential-computing-the-emerging-security-multitool-nid-1665.html