Confidential computing offers a new way for financial services companies to share data and embrace the flexibility of cloud technology, without putting highly confidential customer data at risk. For companies in highly regulated sectors like finance, data security is paramount; IBM’s Cost of a Data Breach report shows that the average cost of a data breach is now $4.35m, a figure which has risen 12.7% since the start of the coronavirus pandemic. To address this, confidential computing offers a way for financial institutions such as banks and insurers to use highly confidential data, safe in the knowledge it can’t be seen by cloud providers, malicious insiders, or other institutions who they work with.
The framework of computing
So what is confidential computing? Think of it as cloud computing tech which ensures that data remains secure while applications use it. Confidential computing works by isolating sensitive data in a protected CPU enclave, where it’s only accessible by chosen applications. The Confidential Computing Consortium defines confidential computing in the following way, “The protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE).” Only authorised software can read the data within the TEE, which remains secure even from the operating system, and from malware.
Once done, the data is effectively invisible to anyone while in use, even to cloud providers or system administrators. The reason it’s so appealing to financial institutions is that it protects data while ‘in use.’ Other cloud technologies work to protect data ‘at rest’ (while being stored) or ‘in transit’ (while moving via a network connection). Paired with these methods, confidential computing plugs a potential gap, while offering another crucial layer of security for financial institutions.
Securing institutions
For financial institutions, moving to the cloud means a new attack surface and different risks. The world’s big public cloud environments follow a defence-in-depth approach to build their own security, with a comprehensive layered use of advanced security tools to protect data, which already offers redundancy in case one ‘layer’ fails. Confidential computing offers an additional layer of security in this context, meaning that even if a flaw is found in other defence mechanisms, crucial customer data remains safe.
This means that financial institutions can embrace cloud technology with confidence, harnessing its flexibility, and cutting costs such as managing on-premises infrastructure. This can also help with business agility, speeding up time to business value; increasingly, confidential computing will become a business imperative in the sector.
Permission-based access
Take financial crime cases as an example. In money laundering investigations, banks and other institutions need to work together to track money as it moves rapidly through multiple different accounts in different banks. Confidential computing allows banks to collaborate without exposing their input data, with data processed by agreed analytics. None of the banks can ‘see’ the full data set, but it’s possible to track users moving money rapidly between several accounts and banks.
This shows the importance of authorised access. Because confidential computing only allows data to be accessed by authorised applications, this offers up new ways to use data, such as collaborating between different financial institutions. This opens up new opportunities for business, but can also help to root out problems such as fraud and money laundering. Confidential computing is also a perfect fit for multi-party computation (MPC), which can be used to enable secure collaboration between different institutions.
Confidential computing also opens up the possibility to use and share data in other innovative ways. Confidential computing offers use cases including secure and untrusted collaboration, regulatory compliance and “blind” processing, where user data cannot be retrieved even by service providers or by system administrators.
Keeping data away from bad actors
Having a new ‘layer’ of security offers valuable peace of mind for companies in the tightly regulated financial sector, where companies routinely deal with confidential data, and where a large-scale shift to cloud technology was already underway. The Information Commissioner’s Office (ICO) can impose fines of up to £17m, or 4% of global turnover for data breaches. British Airways, to take one example, was fined £20m after the personal data of more than 400,000 customers and staff was exposed in a 2018 cyber attack. For financial institutions, confidential computing offers another layer of confidence that data will not end up in bad actors’ hands.
This technology is set for enormous growth in the coming decade, according to analysts. Global research firm Everest Group has predicted that the global market for confidential computing will reach $54bn worldwide.
For organisations in the financial services sector, confidential computing offers further encouragement to shift towards the public cloud, even for use cases which rely on confidential data. It will open up new services for consumers, and will accelerate the shift of companies in the finance industry towards the public cloud. In a world where security has never been more important, financial services companies should embrace confidential computing and all it offers.
