Ten tech giants join forces to beef up data security

By Marilyn de Villiers
Johannesburg, 26 Aug 2019

The Linux Foundation has announced the formation of the Confidential Computing Consortium which is gearing up to make it easier to protect sensitive data across different computing environments.

As data breaches become increasingly common, so regulators around the world are introducing increasingly stringent regulations with ever-more punitive conditions for failure to comply.

Now ten of the world’s largest tech companies in the open source arena, including Google Cloud, IBM, Microsoft and Red Hat, have joined forces to try and make computing safer and more secure by signing up as founder members of the Confidential Computing Consortium.

Other members of the consortium include Alibaba, Arm, Baidu, Intel, Swisscom and Tencent.

According to The Linux Foundation, consortium members which will ultimately include hardware vendors, cloud providers, open source experts and academics – will collaborate on open source technologies and standards that accelerate the adoption of confidential computing.

In a statement announcing the consortium, the Foundation noted as companies move their computing workloads across different environment spanning on premises to public cloud to edges, they need protection controls for sensitive IP and workload data and are increasingly seeking greater assurances and more transparency of these controls.

However, providing for a fully encrypted lifecycle for sensitive data across the various environments is proving particularly challenging.

It is hoped that the development of confidential computing standards and advances will enable encrypted data to be processed in memory without exposing it to the rest of the system, reducing exposure for sensitive data and providing greater control land transparency for users.

Consortium members will collaborate on open source technologies and standards that accelerate the adoption of confidential computing.

“The Confidential Computing Consortium is a leading indicator of what’s to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use,” said c, executive director at The Linux Foundation.

The move could not come soon enough. Sonatype’s 2019 State of the Software Supply Chain Report noted that there had been a 71% increase in confirmed open-source related breaches since 2014, with one quarter of respondents involved in their survey reporting a confirmed or suspected open-sourced related breach in the previous 12 months.

The establishment of the Consortium – and the results of its work – will also prove beneficial to South African organisation facing stiff penalties for non-compliance with the Protection of Personal Information (POPI) Act.  According to Pétanque Consultancy, the POPI Act requires any organisation that collects and processes personal information to do so in a manner that is fair, responsible and secure.

Businesses that fail to comply with POPIA can face severe penalties, regardless of whether the non-compliance was intentional or accidental. Fines ranging from R1 million to R10 million can be levied, and there is also provision in the Act for imprisonment of up to 10 years in cases of serious breaches.

In addition, all businesses located anywhere in the world, including South Africa, that have any kind of business dealings with Europe, have to comply with the General Data Protection Regulation (GDPR).

Several of the participants in the Confidential Computing Consortium have already committed to making open source project contributions to the Consortium. These include:

  • Intel Software Guard Extensions (Intel SGX) Software Development Kit, which is designed to help applications developers protect select code and data from disclosure or modification at the hardware layer;
  • Microsoft Open Enclave SDK, an open source framework that makes it easier for developers to build Trusted Execution Environment (TEE) applications; and
  • Red Hat Enarx, a project providing hardware independence for securing applications using TEEs.