An important milestone in making confidential computing in the IoT mainstream for privacy and security.

In cooperation with Arm® Technologies and Scalys BV we give the immediate availability of the Blueprint for enclave device help make confidential computing a mainstream computing paradigm at the edge. The exponential growth of intelligent processing at the edge and autonomous control and monitoring in the Internet of Things (IoT) requires confidential data processing to protect privacy and security. Confidential computing at the edge requires the use of security and manipulation-proof computing isolations, which are referred to as Trusted Execution Environments (TEE) or simply as enclaves. Enclave devices are extremely complex to develop and operate, and their absence holds back their full potential in edge computing. The Enclave Device Blueprint is intended to help simplify the engineering of enclave devices and the provision of confidential applications in the IoT.

Figure 1: Blueprint architecture for enclave devices

The increasing need for confidential data processing

Confidential Computing complements traditional computing paradigms with additional safeguards for computing workloads and data in use. Traditional computing uses cryptography to encrypt content in the form of compute workloads, data and AI models while it is being stored or transmitted, but must decrypt the content when it is used in storage. This model continues to work quite well for operating air-gap computing networks, where there are fewer concerns about data exfiltration or malicious tampering. IoT and cloud computing, on the other hand, are heralding the age of computing, which is characterized by hyperconnectivity, multi-tenant computing infrastructures and data-driven autonomous control and monitoring of many systems, including critical infrastructures, which demand a higher level of data protection and security. Confidential Computing with TEE provides the computing isolations required to ensure both data protection and security and to unleash the full power of digital transformation with IoT.

Special considerations for IoT

A key difference to keep in mind with confidential computing in the cloud and at the edge is that while cloud solution providers set up and operate the necessary infrastructure in the cloud for their customers, IoT solution builders handle the development of enclave devices and the complexity are responsible in the cloud that holds them back.

While confidential computing infrastructure resides in the cloud in data centers, where they benefit from additional facilities and operational security controls, IoT and enclave devices are generally seen as a constant threat from malicious physical access. To minimize this threat, enclave devices prefer tying trust directly or very close to the root-of-trust hardware (bare metal) over using monitoring software such as hypervisors and container runtimes to use the Trusted Computing Base (TCB ) to a minimum. Surveillance software, on the other hand, helps abstract from hardware to allow scaling across hardware technologies at the cost of a larger TCB. The fact that the economies of scale of surveillance software must be avoided for greater security is a source of complexity in building, operating, and maintaining enclave devices.

The Enclave Device Blueprint at its core aims to solve these challenges in a way that still maintains security at the highest possible level.

The blueprint for the enclave device

The Enclave Device Blueprint includes projects, resources and guidance to abstract and simplify the development of Enclave devices and to facilitate the delivery of sensitive applications for the IoT. It seeks to complement traditional computing by closing the architecture and component gaps to make confidential computing mainstream in IoT.

The blueprint is independent of hardware technologies, operating systems or the solution cloud. It invites you to take a community approach to solving a very complex problem where participants can work together to reduce costs and promote greater security through the transparency that comes with open source. All blueprint components are currently in open source and were developed with the vision of complete community ownership and governance.

A real finding

More than just a collection of projects, resources, and guides, we’ve made sure that the effectiveness of the Enclave Device Blueprint is validated against a real-world device and project. The Enclave Device Blueprint was inspired by real-world observation of the obstacles that hinder confidential computing at the edge. It was therefore important to ensure that the blueprint addresses obstacles from real experience and is supported by real product truth.

While working together to develop the Enclave Device Blueprint, Original Device Manufacturer (OEM) and Secure Devices Builder, Scalys BV, jointly developed TrustBox Edge 201 from the blueprint to meet both of these requirements Azure IoT Edge Requirements for certified and tamper-proof enclave devices for confidential data processing in the IoT.


Figure 2: TrustBox Edge 201 (source: Scalys 2021)

Building on the Azure cloud and using fully managed services such as Azure IoT Edge, Azure IoT Hub, Azure functions, and Azure key vaultWe have integrated the software components of the Enclave Device Blueprint to orchestrate an end-to-end build-deploy pipeline on a scale for confidential applications in the IoT. It is the modular nature of the Enclave Device Blueprint components that make them independent of technology, operating system or the cloud. The full project is available on Azure samples and ready to try out with TrustBox Edge 201 by Scalys BV. the Enclave Device Blueprint white paper provides a detailed explanation of the blueprint components.

The trip goes on

The Enclave Device Blueprint marks an important milestone aimed at advancing the development of enclave devices and deploying sensitive applications on a large scale in the IoT. Enclave devices help ensure the privacy and security required for the IoT to achieve its full potential. Based on the history, it can be safely assumed that this is just one of many milestones. The most obvious next is the seamless integration with confidential computing services in the cloud for a unified and end-to-end confidential computing experience at the cloud edge.

Learn more


Source link

Leave a Reply