Confidential containers using Red Hat OpenShift Container Platform and IBM® Secure Execution for Linux
Hybrid cloud has become the dominant approach for enterprise cloud strategies, but it comes with complexities and concerns about integration, security, and technology. To address these issues, the industry is embracing container runtime environments to abstract the infrastructure. Red Hat OpenShift Container Platform (RH OCP) has emerged as the leading solution for supporting the application development lifecycle, provisioning and managing container images and workloads as a platform for containerized applications and ecosystems. RH OCP provides a common deployment, control, and management environment for workloads across the diverse set of infrastructure that underpins a hybrid cloud.
Simply put, Red Hat OpenShift is the leading hybrid cloud application platform built on open source innovation designed to build, deploy, and run applications at scale, wherever you want.
Hybrid cloud is also requiring a major rethink of how data and assets are secured and protected. Therefore, the industry continues to move away from traditional moat and castle strategies to zero trust-based architectures that micro-segment the environment to minimize the attack surface.
Confidential Computing is a new, native feature that helps protect data in use. Securing data at rest and in motion has been standard industry practice for decades. However, with the advent of hybrid and distributed management of infrastructure, it is now essential to equally protect data in use. More specifically, confidential computing uses hardware-based security-enhanced enclaves to allow tenants to host workloads and data on untrusted infrastructure while allowing anyone with privileged access to that infrastructure to access the workload. and ensures that the data cannot be read or modified. This is commonly referred to as a technical warranty which can be summarized as follows: No provider or person has access to your data. Technical warranty is not provided by the service provider or individual. We promise not to access your data, even if we technically can.. As compromised credential threats and insider threats become the leading cause of data security incidents, technical assurance to protect sensitive and regulated workloads, whether running on traditional on-premises or in public cloud data centers, has become a priority.
IBM and RedHat have recognized the technical assurance requirements of hybrid cloud platforms. As part of the Cloud Native Computing Foundation (CNCF) confidential container open source community, they continue to work together to address these issues and enable confidential container technology. The latter combines security-hardened enclave technologies such as IBM Secure Execution for Linux with OpenShift on Kubernetes to enable containers to be deployed into secure pods, providing all the benefits of the ubiquitous RH OCP operational experience while protecting tenants’ containers. It is designed to do this. From privileged user access. Confidential Containers go beyond previous efforts to solve this problem by isolating containers not only from infrastructure administrators but also from Kubernetes administrators. This gives tenants the best of both worlds: deploy once, anywhere, fully leveraging the abstraction of managed OpenShift, while deploying data and workloads in a completely private and isolated area with technical assurance. The latter is hosted and managed on a third-party infrastructure.
IBM is adding Zero Trust principles to IBM Hyper Protect Platform, designed to increase security and ease of use.
This unique feature is designed for workloads with strong data sovereignty, regulatory, or data privacy requirements.
Confidential containers therefore play a key role across industries designed to protect data and foster innovation. Some use cases to highlight are:
Confidential AI: Leverage trusted AI and ensure model integrity and data confidentiality.
Organizations leveraging AI models often face issues related to the privacy and security of the data used for training and the integrity of the AI models themselves. It is important to protect the confidentiality of proprietary algorithms and sensitive training data. In many cases, multiple parties must collaborate and share sensitive data or models with each other to gain valuable AI-based insights. On the other hand, the valuable data needed to gain these insights must be kept confidential and not shared only with specific parties or with third parties at all.
So, is there a way to gain insights into valuable data through AI without exposing your data sets or AI models (LLM, ML, DL) to others?
Red Hat OpenShift, powered by Confidential Containers powered by IBM Secure Execution, provides a confidential AI platform. This protects both AI models and training data, allowing organizations to deploy machine learning models without violating intellectual property or exposing sensitive information. By mitigating attack vectors through security-hardened containers, confidential containers ensure the integrity of AI models and strengthen trust in AI applications.
Healthcare: Enabling healthcare technology while keeping patient data private
In the healthcare industry, protecting sensitive patient data is of utmost importance. As the adoption of digital health records and collaborative research initiatives increases, there are growing concerns about protecting patient information from unauthorized access and potential breaches.
Red Hat OpenShift leverages confidential containers to create a secure enclave for healthcare applications. This ensures that records and sensitive medical data are encrypted and processed securely, preventing data leaks and unauthorized access. By securing both code and data, healthcare organizations can confidently embrace digital transformation while protecting patient privacy by adopting data privacy-enhancing technologies like Confidential Compute.
It is designed to support a variety of use cases in the healthcare industry, one of which is secure multi-party collaboration across multiple institutions, as shown in the following example:
Financial Services: Transform customer experiences while keeping sensitive information safe and compliant.
Financial institutions face constant threats to sensitive data and financial transactions. The industry demands a secure infrastructure that can protect sensitive financial information, prevent fraud, and ensure regulatory compliance.
Red Hat OpenShift with confidential containers provides a hardened environment for financial services applications. This ensures that financial data and transactions are processed within secure premises, protecting them from external threats. OpenShift’s confidential containers help financial institutions meet stringent regulatory requirements and strengthen the overall security posture of their digital infrastructure by protecting code and data integrity.
Enhances digital rights management and intellectual property protection through tokenization to protect confidential computing
In today’s digital environment, the risks associated with stolen tokens or unauthorized signatures of their contracts, such as intellectual property and digital rights tokens, pose significant challenges. Potential financial losses and threats to the integrity of digital ecosystems require robust solutions that go beyond traditional security measures.
Confidential Computing provides a practical solution to the risks associated with stolen tokens by integrating confidential computing technology into the tokenization process designed to build end-to-end security. This approach ensures that sensitive operations occur in a secure and isolated environment, protecting the confidentiality and integrity of digital assets throughout their lifecycle. Confidential computing is designed to prevent malicious actors from decrypting or tampering with sensitive information, even if they have access to the underlying infrastructure.
Implementing a secure token platform through confidential computing can provide real benefits. Digital rights holders can manage and monetize their intellectual property without ongoing concerns about piracy or unauthorized distribution. Stakeholders across a variety of industries gain the ability to create, transact, and enforce digital contracts with confidence in the security of their tokenized assets. The financial impact associated with token theft is significantly minimized, reducing the risk of revenue loss due to piracy or counterfeiting. This not only protects the economic interests of content creators and distributors, but also promotes a more trustworthy digital ecosystem.
In conclusion, adopting confidential computing in the tokenization process addresses the critical challenge of scaling use cases from financial assets and real estate to much larger scale tokens that protect digital rights and intellectual property. The result is a more secure token platform that provides content creators, distributors and consumers with the confidence to engage in digital transactions while ensuring the continued growth and integrity of the digital economy.
One example of growing token usage is online gaming. Confidential computing is integrated into tokenization to protect in-game assets such as virtual currency and items. It is designed to enhance security and minimize the financial risk and disruption caused by stolen tokens in the dynamic environment of online gaming.
Sovereign Cloud: Enhances data security to ensure data privacy and sovereignty.
National security and data sovereignty concerns require a secure hybrid cloud infrastructure designed to ensure that sensitive data and applications are not subject to unauthorized access or foreign jurisdiction.
Red Hat OpenShift, with its confidential container capabilities, supports sovereign cloud implementations. By deploying secure containers, nations can host sensitive applications and data within a protected environment, strengthening data sovereignty and protecting against external threats. This solution fosters national security in the digital age by providing a trusted platform for government agencies and critical infrastructure.
Zero Trust SaaS: Successfully innovate in SaaS while keeping your clients’ data private by applying built-in Zero Trust principles.
As a SaaS provider seeking to deliver scalable solutions to target customers with sensitive data or regulatory requirements, the challenge is to deliver cloud-based services without compromising the security and confidentiality of customer data. The need for a comprehensive Zero Trust framework is critical to ensuring customers that sensitive information remains inaccessible not only to SaaS providers, but also to the underlying cloud infrastructure.
Powered by confidential containers and integrated with Zero Trust as a Service, Red Hat OpenShift transforms the approach to Zero Trust SaaS from the provider perspective. This solution helps SaaS providers, cloud providers, IaaS administrators, and Kubernetes administrators have zero access to client data.
The lack of isolation between different clusters within a cloud environment not only helps optimize costs but also simplifies operational efficiency. At the same time, pod-level isolation within each cluster namespace enhances security, reducing authentication audit efforts and strengthening the SaaS provider’s commitment to data integrity.
Additionally, multi-party zero trust implementations allow clients and fourth-party ISVs to run confidential workloads as containers without direct access to the underlying data. This innovative approach not only meets customers’ stringent security requirements, but also positions SaaS providers as trusted partners capable of delivering scalable, secure solutions to customers with sensitive data or regulatory constraints. .
Learn more about confidential computing with IBM Secure Execution on IBM LinuxONE