{"id":39905,"date":"2021-09-08T17:31:03","date_gmt":"2021-09-08T17:31:03","guid":{"rendered":"https:\/\/www.vmengine.net\/2021\/09\/08\/confidential-computing-the-perspective-of-aws\/"},"modified":"2025-05-23T17:32:11","modified_gmt":"2025-05-23T17:32:11","slug":"confidential-computing-the-perspective-of-aws","status":"publish","type":"post","link":"http:\/\/temp_new.vmenginelab.com\/en\/2021\/09\/08\/confidential-computing-the-perspective-of-aws\/","title":{"rendered":"Confidential computing, the perspective of AWS"},"content":{"rendered":"<div class=\"et_pb_section et_pb_section_336 et_section_regular\" >\n<div class=\"et_pb_row et_pb_row_434\">\n<div class=\"et_pb_column et_pb_column_4_4 et_pb_column_440  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_module et_pb_text et_pb_text_1347  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p>Customers from all over the world and of all types entrust their most sensitive data and applications to <a href=\"https:\/\/aws.amazon.com\/it\/\"><br \/>\n  <strong>Amazon Web Services<\/strong><br \/>\n<\/a>. For this reason, over the years, AWS has invested more and more in technologies and systems designed precisely to continue to maintain and increase the level of security and confidentiality of its customers. Particularly in the last year, there has been a growing interest in the concept of Confidential computing.<\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1348  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p>AWS defines <em><br \/>\n  <strong>Confidential Computing as &#8220;the use of specialized hardware and associated firmware to protect customer code and data during processing from external access.&#8221;<\/strong><br \/>\n<\/em><br \/>In addition, confidential computing distinguishes between two dimensions: security and privacy. The most important dimension is the protection of the customer&#8217;s code and data from the operator of the underlying cloud infrastructure. The second dimension is the ability of customers to divide their workloads into more reliable and less reliable components, or to design a system that allows parties to build systems that work in close collaboration while maintaining the confidentiality of each party&#8217;s code and data.<\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1349  et_pb_text_align_center et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\"><H2>  AWS and the Nitro System  <\/p>\n<h2><\/h2>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1350  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p>To meet both levels of security and privacy, AWS has developed the <a href=\"https:\/\/aws.amazon.com\/it\/ec2\/nitro\/\"><br \/>\n  <strong>Nitro System<\/strong><br \/>\n<\/a> (first security dimension) and the <a href=\"https:\/\/aws.amazon.com\/it\/ec2\/nitro\/nitro-enclaves\/\"><br \/>\n  <strong>Nitro Enclave<\/strong><br \/>\n<\/a> system (second security dimension). During the last edition of <a href=\"https:\/\/reinforce.awsevents.com\/\"><br \/>\n  <strong>Re:Inforce<\/strong><br \/>\n<\/a>, an AWS event entirely dedicated to security, space was given to the presentation of the Nitro system.<\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1351  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p>Nitro consists of three main parts: <strong>the Nitro cards<\/strong>, the <strong>Nitro security chip<\/strong> , and<strong> the Nitro hypervisor<\/strong>. Nitro <strong>cards<\/strong> are dedicated hardware components with compute capabilities that perform I\/O functions, such as the Nitro <strong>card<\/strong> for Amazon Virtual Private Cloud (Amazon VPC), the Nitro <strong>card<\/strong> for Amazon Elastic Block Store (Amazon EBS), and the Nitro <strong>card<\/strong> for Amazon EC2 instance storage.<\/p>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_image et_pb_image_369 et_animated et-waypoint\">\n<p>\t\t\t\t<span class=\"et_pb_image_wrap \"><img decoding=\"async\" src=\"http:\/\/temp_new.vmenginelab.com\/wp-content\/uploads\/2021\/09\/nitro-enclaves-foto-2.jpg\" alt=\"\" title=\"Nitro-Enclaves Photos\"  sizes=\"(max-width: 740px) 100vw, 740px\" class=\"wp-image-33914\" \/><\/span>\n\t\t\t<\/div>\n<div class=\"et_pb_module et_pb_cta_264 et_pb_promo  et_pb_text_align_center et_pb_bg_layout_light\">\n<div class=\"et_pb_promo_description et_multi_view_hidden\"><\/div>\n<div class=\"et_pb_button_wrapper\"><a class=\"et_pb_button et_pb_promo_button\" href=\"https:\/\/www.youtube.com\/watch?v=kN9XcFp5vUM\" target=\"_blank\">Watch Nitro&amp;apos;s presentation at Re:Inforce<\/a><\/div>\n<\/p><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1352  et_pb_text_align_center et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\"><H2>  The Three Approaches of the Nitro System  <\/p>\n<h2><\/h2>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1353  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">Let&#8217;s try to see specifically how the Nitro system manages to offer different levels of security.<\/div>\n<\/p><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1354  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<ul>\n<li><strong>Protection from Cloud operators<\/strong>. With the Nitro system, no one can access EC2 servers (the underlying host infrastructure), read EC2 instance memory, or access data stored in instance storage and encrypted EBS volumes.<\/li>\n<\/ul>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1355  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<ul>\n<li><strong>Protection from AWS system software<\/strong>. The Nitro system design uses low-level hardware-based memory isolation to eliminate direct access to customer memory, as well as to eliminate the need for a hypervisor on bare metal instances.<\/li>\n<\/ul>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1356  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p style=\"padding-left: 40px;\"><em><strong>For virtualized EC2 instances.<\/strong> <\/em>Nitro Hypervisor coordinates with the underlying hardware virtualization systems to create virtual machines that are isolated from each other and from the hypervisor itself. Network, storage, GPU, and accelerator access uses SR-IOV, a technology that allows instances to interact directly with hardware devices using a pass-through connection securely created by the hypervisor.<\/p>\n<p style=\"padding-left: 40px;\"><em><br \/>\n  <strong>For bare metal EC2 instances<\/strong><br \/>\n<\/em>. In this case, there is no hypervisor running on the EC2 server, and customers get dedicated, exclusive access to the entire underlying main system board. Bare metal instances are designed for customers who want to access physical resources for applications that take advantage of low-level hardware capabilities, and for applications that are intended to run directly on hardware or licensed and supported for use in non-virtualized environments. Bare metal instances have the same storage, networking, and other EC2 capabilities as virtualized instances because the Nitro system implements all of the system functions normally provided by the virtualization layer in isolation and independently using dedicated hardware and purpose-built system firmware.<\/p>\n<p style=\"padding-left: 40px;\">\n<p style=\"padding-left: 40px;\">\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1357  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<ul>\n<li><strong>Protection of sensitive data from customer operators and software<\/strong>. For this type of approach, AWS proposes the  <a href=\"https:\/\/aws.amazon.com\/it\/ec2\/nitro\/nitro-enclaves\/\"><\/a><a href=\"https:\/\/aws.amazon.com\/it\/ec2\/nitro\/nitro-enclaves\/\">Nitro Enclaves<\/a>. Nitro Enclaves is a hardened, highly isolated computing environment that is launched and attached to a customer&#8217;s EC2 instance. By default, no users or software running on the customer&#8217;s EC2 instance can have interactive access to the enclave. Nitro Enclaves has cryptographic attestation capabilities that allow customers to verify that all software deployed in their enclave has been validated and has not been tampered with. A Nitro enclave has the same level of protection from the cloud operator as a regular Nitro-based EC2 instance, but adds the ability for customers to divide their systems into components with different levels of trust. A Nitro enclave provides a means to protect particularly sensitive elements of customer code and data not only from AWS operators but also from customer operators and other software.<\/li>\n<\/ul>\n<\/div><\/div>\n<div class=\"et_pb_module et_pb_cta_265 et_pb_promo  et_pb_text_align_center et_pb_bg_layout_light\">\n<div class=\"et_pb_promo_description et_multi_view_hidden\"><\/div>\n<div class=\"et_pb_button_wrapper\"><a class=\"et_pb_button et_pb_promo_button\" href=\"https:\/\/www.youtube.com\/watch?v=t_9CASbagag\">See all Nitro benefits<\/a><\/div>\n<\/p><\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_1358  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p>The primary benefit of the Nitro system is that it allows customers to protect and isolate sensitive data processing from operators and AWS software at all times. It offers the most important dimension of Confidential computing, i.e. the set of protections intrinsic, by default, from system software and cloud operators and, thanks to Nitro Enclaves, also protects from software and customer operators.<\/p>\n<\/div><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Confidential Computing.Protection and security of sensitive data. In this article, you learn about the AWS approach.<\/p>\n","protected":false},"author":6,"featured_media":33907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97,2297,1374],"tags":[132,133,4721,1908,4394],"class_list":["post-39905","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","category-news-en","category-the-analysis","tag-amazon-web-services-en","tag-aws-en","tag-confidencial-computing-en","tag-privacy-en","tag-safety"],"aioseo_notices":[],"jetpack_featured_media_url":"http:\/\/temp_new.vmenginelab.com\/wp-content\/uploads\/2021\/09\/gif-lock-1.gif","amp_enabled":true,"_links":{"self":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/39905","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/comments?post=39905"}],"version-history":[{"count":1,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/39905\/revisions"}],"predecessor-version":[{"id":41643,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/posts\/39905\/revisions\/41643"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/media\/33907"}],"wp:attachment":[{"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/media?parent=39905"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/categories?post=39905"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/temp_new.vmenginelab.com\/en\/wp-json\/wp\/v2\/tags?post=39905"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}