Machine Learning / Security / Contributed

Confidential Computing Is Transforming Data Encryption in Healthcare, Finance

22 Apr 2021 5:00am, by
Dr. Pandurang Kamat
Dr. Pandurang Kamat is Chief Technology Officer at Persistent Systems. He helps enterprises unlock business value through technology and innovation. Prior to Persistent, he was the director of analytics at IAC Search and Media and has also worked at Bell Labs and HP Labs, building secure communications and digital media products. He holds a Ph.D. in Computer Science from Rutgers University, New Jersey.

Confidential computing is an up-and-coming technology that’s been generating buzz over the last few months. Google has gone so far as to call it “a breakthrough technology.” The basic idea is that it brings confidentiality to the entire data lifecycle, guaranteeing data will be safeguarded in transit, at rest and while in use.

But how does this work and what are the use cases being developed? At Persistent, we’ve been digging into confidential computing for months now, going so far as to partner with a leading enterprise blockchain technology software company to develop confidential computing solutions, and we feel that there are two promising use cases that could change how organizations view data migration to the cloud.

But first, let’s discuss confidential computing 101.

How Does Confidential Computing Work?

The idea behind confidential computing is that data has traditionally only been encrypted during two phases: when at rest and in transit. So, for example, data is encrypted when it’s sitting in a database and also when it moves over a network connection.

However, the processing phase has traditionally not been encrypted. So, when the data is in use, it’s actually quite vulnerable. How does confidential computing solve this problem?

It does so via hardware by creating a “trusted execution environment” (TEE) or a secure enclave that is isolated from untrusted code, which includes the operating system and other applications running on the system. This TEE uses encryption keys that can decrypt the private data and use it in computation. While it’s in use, the code and data reside inside the secure enclave and is inaccessible to the rest of the system. The enclave contains trusted code that is previously authorized and whose integrity can be remotely verified before sending private data to it.

As this is an emerging area of research, there are new use cases popping up everywhere, but we’ve identified two that we think are particularly promising.

ML-Based Fraud Detection in BFSI

As organizations leverage machine learning (ML) to improve customer experience, optimize operations, and reduce fraud, they are still skeptical, due to security reasons, about moving sensitive and personally identifiable data to the cloud.

Confidential computing can facilitate ML software companies to offer their vertical-specific and specialized ML models as-a-service with cryptographically assured confidentiality and security of the customer data.

The data owner (e.g., banks) can integrate the remote ML-based fraud detection workflow in their existing on-premises application, safeguarded by their network controls. The model owners (e.g., software vendors) offer their fraud detection service via a secure enclave in the cloud, leveraging features like elasticity, DDoS protection, etc. This fraud prediction model is remotely attestable and verifiable by a client, enabling end-to-end trust in the system.

Fig 1: Reference System for Confidential ML Inference with R3 Conclave

Fighting Health Insurance Fraud

Another potential area of application for confidential computing is in health insurance fraud.

For example, double-dipping or duplicate insurance fraud occurs when a single insurance claim is filed with multiple insurers resulting in multi-billion-dollar losses for the insurance companies annually. While duplicate claims can be easily detected by sharing claim data, data sharing does not happen across organizational boundaries due to regulatory constraints around data privacy and concerns about data sharing between competing providers.

With confidential computing, insurance providers can now collaborate and securely share the necessary attributes of claims data with each other without fear of data exposure or violation of privacy regulations.

Fig 2: Claim protect features with Persistent and R3 Conclave

Data in the Cloud, Secure.

While we explored the two use cases covered above in-depth, confidential computing is invaluable for any organization that handles personally identifiable data, especially when moving workloads to the cloud. We are now able to load pre-trained machine learning models directly into the secure enclave for inferencing. Secure collaborative sharing has the potential to unleash new business insights and build mutually beneficial strategies even amongst competitors, such as countering fraud. It is secure, adaptable and flexible — a great choice for any business looking to harness the promise of confidential computing.

Feature image via Pixabay.