Hello, my name is Richard Kern. I'm the security officer with our Intel data center group And I want to thank you for listening to our podcast today the title probably got your interest around confidential computing Is it a new buzzword or just hi? I've just got three experts in a room that I want you to listen to I think they're experts in the industry and they've got some really cool products And I just want to get into into this particular room here and just hi guys. How are you doing?
It's good to meet you all. I know you very well But maybe the listener doesn't so before we get into the subject matter around confidential computing can you let the listener know Who you are what company you work for? I think that'll be interesting before we before we start on this particular topic that is catching everybody's imagination right now Of course, I'm Christian younger. It's the only co-founder of Madonna a German cyber security in the privacy company I'm a local phone co-founder of a question on a vision Europe and focus on the data security and privacy I'm Patrick Conte on the head of business development for tanics a cybersecurity company based in Silicon Valley great great Well, I think all of us have been probably working and working together on various initiatives and projects over the last while But really suppose confidential communities to be coming into you know the tech press We've seen have been required by a lot of customers and various different entities at a worldwide level But it's becoming more than a buzzword as you probably all agree and I suppose for the listener It's also good to help everyone understand what what it's all about and I mean from our perspective I'll go and then I love your viewpoints on it over the last two or three years We've seen an interest in more of a granular level of security when it comes to data protection as we saw the transformation happening with the multitude of various different devices We all know whether to millions or billions of devices being connected This is allowed for a massive generation of data to be collected and as a result with the maturity of cloud and we saw that Cloud economics prevail because with all this data being generated and customers needing to derive information from my data Not only do they have to use various different types of clouds but their own as well as various different multiple clouds The challenge arose with trying to manipulate that particular data to derive information But also how do you secure it because the landscape came ultimately more more complex and as that level of complexity increased So did business risk so we all know the foundation of Securities all based around business risk and how do you know what level of risk that you're working with in a dynamic environment like that?
We know that the threats that are there in the industry prevail and people need to get used the fact that the types of threats that are available in the market It's very challenging for any sees or any CXOs to maintain and sustain a level of capability that allows you to be fully protected If any but really long came the need to secure data So then we saw that more industry partners started questioning about the value associated How can we protect data? How can we invest in AI? How can we invest in in different types of cloud-based solutions that will meet their particular industry requirements whether you're in healthcare or whether you're in finance or various different industry segments in FSI and as a result You know there was a need to ensure that security now was going to be a fundamental part of business transformation moving ahead So I suppose really it was up to the industry to collaborate using various different technologies And then we looked at defense-in-depth and which defense-in-depth one really brought the hardware into play So I know from your particular companies You've all saw this opportunity But also saw the need to help customers protect data and to allow them to take advantage of cloud in all its form And also to take advantage of some hardware technologies So I suppose I'll start with past. I mean, you're a VP within Fortanix Tell me, you know, how did Fortanix come about and how did Fortanix identify with the opportunity and get into this space?
Yeah, thanks Richard and in full clarity, you and I've known each other for more than four years And we've had a lot of discussions about the risk and data security This podcast will follow along with some of the things we've been discussing for a long time You know, Fortanix is a cybersecurity company based in Silicon Valley and has been around since 2016 The founders of the company are well-known crypto experts our CEOs a former CTO of cryptographic research Which is a company that basically designs side channel attacks and and then gives companies a way to mitigate them or to remediate them And so these guys when they got together a couple of very bright entrepreneurs They weren't looking at confidential computing as a thing yet and they were looking at protecting data Same thing you were talking about before business risk business risk really in the in the form of how you protect your critical assets of the company And so Fortanix was really founded to unlock the power of the data of your most valuable data by securing it throughout its entire life cycle And that means in storage at rest in motion and in use And then use is really the has been the missing keys in in data security for really for the entire history of the security era We're talking about the data really talking about encryption And so being able to encrypt that last mile that the data in use became the reason why the company got founded was to be able to provide data protection across This entire life cycle Interesting. And is that the same for coffee and Raphael as a company founded on the same principles or Yeah, the company was founded in 2018 and the focus has been really to help our enterprise customers solve the data paradox Data products we see as there as one one one ago Being able to provide more value more use out of data and on the other end goal They need to have more more data production more data security because there are more and more risk out there So the company was really founded around that I mean solving these data products for our enterprise customers and we've all from that to attract here Creators software products of the solutions that kind of help our customers to ensure that a storage Zero true data sharing is interest computing I go I go in details later on that really helping our customers product data Let's still be able to leverage the power and the value of the data they have and Christian You're the CEO and the founders of Madonna. Is that very much a famous botanics and calcium? It's kind of a bit different so Madonna is a pivot from a former startup called digital technologies from the 2016 next to the leading tech university WKH off in Germany and we developed a digitalization solution for retailers and put on sale systems around RFID trackers and clothing So lots of data that potentially could be collected But we had a concrete problem and therefore city pivot how to overcome the issue of data privacy and the possible hacking attacks of variable RFID chips And or clothing likes sharing the clothing data So what we did we invited professionals and experts on back end 16 from different disciplines to find solutions and certain requirements To meet our company values and to go was to find a solution which must be rewarding for the data producers to share the data But at the same time it has to maintain like the data sovereignty of the data subject quite similar to gdb After they but enforce with technology rather than the law and that was the moment when the constant data was born The solution we invented was simply to let the data subject Landry relevant data and construct the insights we want to see in secure environments The resulted insights free from personal and back traceable information gets out and the sensitive data set gets Approvably destroyed and soon we figured out that this solution would benefit not only the richer sector But nearly every data driven business out there and therefore we pivoted to Madonna during the summer of 2017 And today in 2020 we have a patented solution in Germany We filed the international PCD patent and we made free product out of it first Madonna core I'm an enterprise anti-modern platform, but our heart component currently definitely Madonna core as a software tool based of two components Madonna nodes anti-analysis processing entity called Madonna 8 So with Madonna core we can manage and scale cloud-based trust and execution environments as Intel SGX components For example, and we enable secure data processing with insecure Okay, that's interesting and it's interesting that what we're seeing today is, you know, we got a German company We got a French company.
We got an American company that's expanding worldwide with for 10x But it seems to me then it's a global problem It's not just a local one that you've all seen the opportunity locally But you can see it being as as Christian just said is not just in retail. It's across every every facet of every industry So from a basic concept, I mean, we're looking like the the challenges with protecting data I mean pat you mentioned about data in use. I mean the the three components Do you think we solved you know the first two which is around um at rest and in transit and and why is it that in use now Is an area that needs to be addressed and why couldn't we address it before? You know definitely it's the area that needs to be addressed and I also definitely believe that the first two legs If you will the data at rest and the data in motion problems have been solved But the bad guys have evolved the same way that the industry has evolved And so all the new exploits for trying to steal your data Had to do with grabbing it when it was in use Things like you know, man in the middle attacks getting between the TLS tunnel of data in motion And the destination right things like scraping the memory of a server with data in use to try to get the secrets out of it Or even things like stealing the box or stealing the root password You know doing a you know x-raying the chip and things like that I mean All of these things were ways that you know that all of a sudden exploits were starting to steal that data while it was in use And so it was clear Fortanix that we had to we had to secure that and the way that we chose to do it Was to base our technology and our platform on intel sgx Which creates that secure enclave of memory and allows you to put applications and data in there unmodified So we built a commercial platform on top of that which we call runtime encryption And runtime encryption is is an operating system environment to wrap those apps and data and it's also a control plane for managing You know a cluster of enclaves and it's also a development kit what we call Enclave development platform at edp, which is a very secure development platform based on rust That customers can actually write applications specifically for you know for enclaves That's how we sought to solve the problem and when we looked at it We said okay So how do we operationalize this and the most important thing that we saw was that you needed to be able to build enterprise applications on top of this Platform and after talking to a lot of our enterprise customers and partners We built the first application the first practical application for for sgx for you know for runtime encryption And that is in fact what we call our self-defending key management service and it's self-defending because even though it's a born-in-the-cloud software solution You can drop it on top of any server in any environment cloud on premise You know some hybrid environment as long as it's running intel sgx You can drop our software on top of it our self-defending kms and The reason it's self-defending is it uses the enclave the sgx enclave to manage all the key material secrets and and you know Things like tokenization all of those things are are generated and managed out of the enclave Which makes it the most secure key management solution on the on the market today And I think it's most really for the listener.
They probably need to I'm sure they may have heard of it's intel software guard extensions It's built in hardware functionality that's available in certain products And basically what it is is the smallest potential attack service and it builds out an enclave and based on the fact that with With software development kit and sek companies can actually use some of these instructions to decide what they want to do But as far as botanics or caught me in a Madonna You actually help make that a lot easier to to implement by taking advantage of that So with that you can actually decide I think you said there about keys and also whether it's application or pri Be able to put that into the enclave and help protect them It's really that comes down to the the challenges we're talking about is is for instance If you're gathering all this particular information and you want to derive information on it How do you ensure that information that you want to develop or the application or your IP associated with your own business? How do you how do you protect that from being exposed and as we talk attacks and APT's become more intrinsically different difficult to to identify and to protect your environment you have to understand what do you actually going to do in so far as Manipulating that particular data and ensuring that it's protected to the best of its capabilities And as well as a result confidential computing is born out as a term based on what you guys have been working on and trying to achieve So what we're saying is those companies out there if you look at FSI they're looking at health care They want to be able to share information or they want to be able to derive information But how do you protect the personal information associated with that as well? That's that's some of the challenges I know christen you mentioned gpr and you also mentioned about localization I mean can you expand on some of the challenges the customers have in in sapphars pii associate would say with health care data or With geolocation. I mean, why is that a big problem for certain customers?
Sure, so first of all, I think the underlying problem is trust and gpr was enforced by the you Because there's a massive distrust in tech companies But digitalization must continue and in the world with gpr tech companies can only work by building trust with trusted technologies So into sgx for example is trust execution environment is such a technology And we're using it to offer a solution to build this trust between the data producers as n consumers for example And the data consumers as companies who want to work with data by improving data confidentiality enabling secure data processing Anti-transparent utilization of trust Secondly, my opinion is that we need gpr compliant data infrastructure So this is what we at madana try to move forward and to drive forward We call this future data ecosystems or more concrete in my opinion We need to get sure that data producers especially n consumers have to control over the data through encryption enabled by technology And I think this is one of the biggest challenges of this decade for our society but especially for politics and the companies In this regard what I see from our industry projects Is a huge lack on the side of decision makers in confidential computing And this makes it especially for startups very hard to Yet to implement kind of new confidential computing for structures and softwares because most of them don't understand and don't trust what we're doing And that's kind of a problem at the current phase And right now do you find you know a Christian is saying in your domain and or in France or other countries that That's a similar type challenge for for companies especially when we say cryptography or or the need to secure data across areas from domains or I'm probably going to AI in a minute, but I'd be interested to hear what you're saying as well Yeah, so so definitely to to to stress on what a Christian was saying as a trustee There is a key requirement and and this type of their data security Foundation is what we see is that the trust is important But it's also allowed to do new use cases that you will not do without this type of data security infrastructure For example, we work with a company with one project There are two companies that they are already partners or they already trust themselves They are and they're legal arrangements. They trust each other they're not competitors But they don't trust themselves to the level of sharing certain very sensitive data and plus with the dpr and other privacy Regulations they are not allowed to share this data. So we come to them with solutions that that allow them to actually Confidentially pull confidentiality share these data, but never in clear text so that they are both to um to compute algorithms Do calculations across the this virtual data pool without the data actually are being seen by any of these parties So we are trusted importance. Yes, but you need more than trust actually And we see also that the solutions that we have is a trust and that security you know zero trust environments Yeah, I would agree and of course trust is multifaceted, but I would agree and the other aspect of trust is around a level of attestation And attested to a given infrastructure.
So in other words, you know How can I trust that that infrastructure those servers are actually running those applications? How do I know that if that data is not being exposed to run on another infrastructure that either it is moved out of the Location which may infringe upon governance and regulation or it has been moved because of sometimes of intrusion And it's now being being used and can be manipulated somewhere else I mean So so it needs to be bounded by as we say with either a hardware infrastructure or some type of lock-in That that allows you to attest that the individuals are the other company that you went to work with to derive better value from the data Is attested and as well that is a fundamental part of confidential computing as well If we look at most AI projects, so if we look at every AI project or every type of cloud project is is going to have to Consider confidential computing as a fundamental component The answer is over time. I don't think it is today But certainly I think within you know four or five years the only way that the company should accept moving data into a cloud or the cloud Should be in a confidential computing environment where they have you know where they have a hardware underpinning such as sgx to Make sure that that data is protected at all levels The extension into cloud right now is one of the three major security initiatives that most of enterprises are undergoing I mean one is trying to regain control of all of their you know existing encrypted entities and you know hsms and Data lakes and v-sans and everything else that they've gotten and databases that they need to be able to provide Encryption for since encryption is the only proven method of protecting the data The extension into cloud is the second thing and then that leads to confidential computing So this is sort of a build scenario that's going on in the industry right now And so we're right now we're in the regain control phase And that's one of the reasons why we developed the the self-offending kms is to Help companies have a single pane of blast to manage all of their encrypted entities exist today As those companies extend into cloud We have to make this product available in a way that we can provide that data protection across all clouds for standard workloads And then the third thing is as we move into the confidential computing era We need to be able to as you say a test to those workloads being able to be encrypted and Available in those clouds with the attestation of the of the hardware capability of in our case SGX underneath them Thanks for listening to part one of our podcast series on confidential computing Please make sure to tune in to part two which you'll find on your screen