One of the first jobs I got after I joined IBM was in Competitive Analysis. I got the job after doing a several year stint in Internal Audit as part of a hand-picked Tiger Team. I made a bit of a name for myself when my team discovered our top executive had breached operational security. This got worse because, during part of Competitive Analysis, I issued a report critical of our Senior VP Of Sales only to have that report leaked to our largest client costing us millions in business and almost costing me my job. Fortunately, I was paranoid, and, in my paranoia, I’d implemented tracking, and we discovered that it was that Senior VP of Sales that had leaked the document to get me fired. (Internal Politics are a bitch).
Things have changed a lot since then, and we have robust laws surrounding customer privacy in most parts of the world, hostile nation-state players attempting to breach large organizations, and the regular criminal activities surrounding insider trading, fraud, identity theft, and election manipulation.
In general, with security, we have mainly focused on the systems and people. Still, as we pivot to new technologies like quantum computing, there is a growing interest in focusing specifically on the data that needs to remain confidential and assuring that it isn’t compromised regardless of where it resides.
Let’s talk about how IBM, which arguably came up with the concept of Confidential Computing, is stepping up to address these problems.
Rohit Badlaney VP of IBM Z Hybrid Could, along with Hillery Hunter, PB & CTO for IBM Cloud penned a blog post this week. In it, they have a decent summary of how IBM views confidential computing. The relevant section is: “In order to deliver confidential computing, a technology provider must protect the entirety of the business process, which includes everything from the build process, key management to data-services. Failure to fully protect any of these layers leaves the client’s business process exposed. IBM has been delivering on end-to-end confidential computing for its client’s business processes for more than two years. From IBM’s point of view, data protection is only as strong as the weakest link in end-to-end defense – meaning data protection must be holistic. For companies of all sizes, a dynamic and evolving approach to security is required, focused on the long-term protection of data. Solutions that might rely on operational assurance alone simply do not meet our standards.”
The critical part of this is “across the entirety of the business process.” Rather than talking about perimeter security, system security, processor security, or user security—any one of which makes up a part of the security ecosystem—focus on the fact that none of that means anything when there is a breach. If you have a breach, saying any aspect of your security infrastructure is secure is a waste of time—much like pointing out after the horses ran out of the barn that the door on the barn was particularly robust.
People tend to forget that the goal isn’t to build a particularly strong part of a security solution, it is to protect the data and that, once that data is stolen, you are screwed regardless of how secure you thought you were.
While this effort from IBM was first announced back in 2018 with the release of their Cloud Hyper Protect Services, I’d argue it has been part of IBM’s DNA going back to when I worked there before we had named the internet.
If you are interested, IBM’s Cloud Hyper Protect Services is a family of cloud services built with secure enclave technology that integrates hardware and software and leverages the industry’s first and only (according to IBM) FIPS 140-2 Level 4 certified cloud hardware security module (HSM) to provide end-to-end protection for their client’s entire business processes.
The underlying concept behind Confidential Computing is a focus almost exclusively on protecting the data regardless of where it resides and what technology is deployed to protect the related sites. IBM’s clients like Bank of America and Daimler validate the power of this approach and, in the end, this is simply a reminder that the goal isn’t to buy a lot of security software so you can protect yourself if there is a breach. It is to assure there is no breach in the first place, and even if there is, the data remains confidential and safe.
Perhaps we all should focus more on Confidential Computing because it is getting pretty crazy out there.