Maxim_Kazmin - Fotolia
What's different about Google Asylo for confidential computing?
The Google Asylo framework is an open source alternative for confidential computing. Expert Rob Shapland explains how it works and how it's different from other offerings.
Confidential computing is becoming an important concept as companies process more data in the cloud. Organizations need to trust that their processed data cannot be viewed by anyone, including the third-party cloud company that is conducting the process, and even shared cloud environments. This addresses a key problem of security in multi-tenant environments where there can be trust issues.
The processing workload may contain data that is highly sensitive to the organization or that has implications under legislation such as GDPR. Therefore, in many cases, organizations need to prove that their data is secure at all points. This may include financial data, encryption keys or any other situation in which the company needs to have the utmost trust in the confidentiality and integrity of the processed data.
Google's entry into this arena is called Asylo -- which is Greek for safe place. It consists of an open source framework and software development kit that uses areas known as secure enclaves to process data securely. Google Asylo is provided via the company's container repository or is available as a Docker image that can be used on any platform that supports trusted execution environments (TEEs).
What's unique about Google Asylo?
The key differentiator between Google Asylo and other confidential computing offerings is that Google is aiming to make Asylo much easier to use and more accessible for developers. This should encourage further use of secure enclaves, with the added security benefits that entails.
Usually, TEEs are locked down to specific hardware configurations and tend to require highly specialized skills in order to use them successfully. Google made Asylo available on a much greater variety of hardware and is attempting to reduce the knowledge required to use it successfully.
This has the added advantage of making applications more portable so they can be moved to other hardware. It also means apps can be run on hardware such as laptops, workstations, virtual machines or cloud instances. Applications can be ported across different back ends without needing code changes, as most confidential computing offerings do.
Overall, Google Asylo should open up confidential computing to significantly more developers than before. The concept is an important one, and it addresses a key security problem that isn't going away -- how to secure data processed in multi-tenant cloud environments. Reducing the barriers to entry in terms of skill and hardware can only be a positive move.
It should be noted that this is a relatively small benefit for the overall security of an organization; most organizations have many more pressing security concerns that should be addressed. However, if your organization is at a mature level of security and is considering how best to process data considered highly confidential, then ensuring that the data is processed securely can be significantly aided by investing in Google Asylo -- especially as a first foray into confidential computing, as it doesn't require developers to learn new programming models or invest in specific hardware.