Edgeless Systems Brings Confidential Computing to Kubernetes
German company Edgeless Systems is bringing a new idea to cloud native computing security: Confidential computing with Constellation, its Kubernetes confidential orchestration platform.
So, what is confidential computing you ask? Well, it’s actually a simple idea. Encrypt everything even when it’s in memory.
As the Confidential Computing Consortium (CCC) explains, data exists in three states: in the network, at rest, and in use. We already encrypt data to protect it when it’s moving with protocols such as HTTPS and SSL. And, we already encrypt when we’re storing it. That leaves the third state, protecting data in use, as “the new frontier.”
Public Cloud Like Private Cloud
Edgeless argues that by using Constellation to leverage confidential computing you can isolate and runtime-encrypt entire Kubernetes deployments. This means, the company states, Constellation enables you to use the public cloud like your private cloud.
“Confidential Computing will usher in a new era of securing data in the cloud. With our unique expertise, we are making this new technology accessible to enterprises at scale,” said Felix Schuster, a confidential computing pioneer and Edgeless Systems co-founder and CEO. “Processing data that is always encrypted — not only at rest and in transit but also while in use — is a difficult task.” But Constellation makes it happen.
This addresses the old, familiar worry of “Is your data actually safe on a third-party public cloud.” Edgeless claims that it is now since your data is securely encrypted within the cloud’s RAM.
Now, as you’d guess, securing and using encrypted data isn’t easy. Constellation addresses this by taking care of such complexities as the verification or attestation of confidential virtual machines (VMs) and workloads, secure connections, key management, and data encryption. Indeed, with Constellation, Edgeless claims you “can lift and shift existing Kubernetes deployments to unprecedented levels of security without changing tools or code.”
Runs on All Major Clouds
Constellation runs on any cloud environment that supports AMD’s Secure Encrypted Virtualization (SEV). This includes all major infrastructure providers such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform.
How? Schuster explained Constellation is based on the company’s open source program MarbleRun. In turn, MarbleRun provides a confidential computing control plane to deploy, scale, and verify apps on Kubernetes. Its technology enables user-level code to allocate private memory regions, called enclaves. These can then host confidential computing VMs. Within these, you’ll run Kubernetes and anything you like as usual.
As a developer, you don’t need to worry about the details of how it does or change your code to use it. Schuster said, “The beauty is that from the inside, everything just looks and feels like normal Kubernetes, while from the outside everything is shielded end-to-end from the cloud infrastructure.”
Constellation works with AMD SEV, the upcoming Intel Trust Domain Extensions (TDX), and AWS Nitro enclaves. Again, these details matter to the people building MarbleRun and Constellation. You, the person using them, don’t need to worry about it any more than you worry over your chip’s architecture.
Schuster is, of course, very excited about Constellation. “Constellation is finally the right approach towards confidential computing at scale.” Here’s the thing. I think he’s right. There’s a clear need to protect data in memory today. Constellation addresses this security requirement while promising to be easy to use and deploy. Keep an eye on confidential computing and Constellation. You’ll be hearing a lot more about both soon.
