How OpenShift Confidential Computing Enhances Data Security

OpenShift Confidential Computing Enhances Data Security

In this blog, we will learn about OpenShift Confidential Computing Enhances Data Security.

This article is the first in a series exploring how confidential computing—an advanced security technology designed to protect data while in use—can be seamlessly integrated into a Red Hat OpenShift cluster. Our primary focus is to ensure that all data processed within OpenShift workloads remains protected at every stage.

In this installment, we’ll delve into the benefits of confidential computing in public cloud environments, addressing key concerns related to data security and trust. Confidential computing plays a crucial role in overcoming challenges faced by highly regulated industries and government organizations by providing enhanced privacy and security. We’ll outline common scenarios where confidential clusters can be deployed and discuss Red Hat’s ongoing commitment to expanding support for these use cases. This article highlights the current capabilities of OpenShift confidential clusters and offers insight into future developments.

Understanding Confidential Clusters

Cloud computing has gained widespread popularity due to its scalability, flexibility, and efficiency. Cloud providers use virtual machines (VMs) to isolate workloads from different tenants, but traditional VMs remain susceptible to security threats originating from the hypervisor, virtual machine monitor, or host system. Protecting sensitive data when running workloads on third-party cloud infrastructure presents a significant challenge.

Confidential computing provides a solution by ensuring data security during processing. While established security practices already safeguard data in transit (e.g., TLS encryption) and at rest (e.g., encrypted storage), confidential computing extends these protections to data in use. This is achieved through hardware-based security features that create a Trusted Execution Environment (TEE), ensuring that data and code remain confidential while being processed.

Most major processor architectures now support confidential computing. For example, x86 architectures include Intel’s Trust Domain Extensions (TDX) and AMD’s Secure Encrypted Virtualization—Secure Nested Pages (SEV-SNP). Other architectures, such as IBM’s s390x, Power, ARM, and RISC-V, also offer or are developing similar technologies. While implementation details differ across vendors, all these technologies aim to protect data from unauthorized access during processing.

A confidential virtual machine (CVM) serves as a TEE by isolating the workload from the hypervisor and host system. The diagram below illustrates the security boundary adjustments when running applications within a CVM.

Securing Workloads with Confidential Computing

To ensure the security and integrity of confidential VMs, several technologies are used:

Secure Boot: Only verified, digitally signed bootloaders and kernels are allowed to run.
Measured Boot: A virtual Trusted Platform Module (vTPM) records and verifies boot components.
Remote Attestation: This process verifies that a CVM is running securely before allowing it to handle sensitive data. The attestation server confirms the security status of the VM based on signed evidence from the hardware and software stack.

Implementing Confidential Computing in OpenShift

When OpenShift clusters are deployed on confidential VMs, all nodes operate within secure environments where workload memory and management services are protected from the host. Each new node undergoes remote attestation to ensure its integrity before being permitted to join the cluster.

This approach enables organizations to leverage the benefits of cloud computing while maintaining control over sensitive data. By isolating OpenShift clusters from the underlying cloud infrastructure, the risk of exposure to unauthorized entities is significantly reduced. Application owners can deploy workloads in a confidential computing environment with minimal changes to their existing OpenShift configurations.

Industries that handle sensitive information—such as finance, healthcare, and government agencies—can now transition to cloud environments while meeting stringent regulatory and security requirements. The following sections highlight key use cases for confidential clusters in the public cloud.

Key Use Cases for Confidential Clusters

Discussions with enterprise users have identified two primary applications for confidential clusters:

1. Digital Sovereignty

With increasing cybersecurity threats, digital sovereignty has become a priority, particularly for public sector IT organizations. Confidential computing supports this initiative by providing a secure environment that facilitates seamless migration of workloads across cloud providers without compromising security.

Adopting a zero trust security model is essential for achieving digital sovereignty. Confidential computing aligns with zero trust principles by enabling remote attestation, ensuring that each new environment is verified before handling sensitive data.

Confidential computing also helps organizations comply with regulatory frameworks like the European Digital Operational Resilience Act (DORA), which mandates data protection at all stages. DORA requires companies to document and test contingency plans for cloud provider failures, making it crucial to have the ability to shift workloads securely between different cloud environments.

OpenShift simplifies this process by providing a consistent experience across cloud providers, reducing the complexity of migrating confidential clusters while ensuring compliance with security regulations.

2. Secure Cloud Bursting

Cloud bursting enables organizations to dynamically scale computing resources by leveraging public cloud infrastructure when demand increases. This is particularly useful when workloads have unpredictable resource requirements or need to optimize costs by utilizing consumption-based pricing models.

Confidential computing ensures that sensitive workloads remain secure even when scaling to the cloud. For instance, NVIDIA’s confidential computing technology extends security protections to GPUs, making it possible to process sensitive AI and machine learning workloads in a confidential computing environment.

By deploying OpenShift confidential clusters, organizations can securely extend their workloads to the public cloud without modifying application configurations. This allows for seamless transitions between on-premises and cloud environments while maintaining data security and regulatory compliance.

Roadmap for Confidential Cluster Deployment

Red Hat is rolling out confidential cluster capabilities in multiple phases to allow early adopters to test and provide feedback. The current and planned phases are as follows:

Phase 1 (Current Availability)

OpenShift clusters leveraging confidential computing are available on:
- Google Cloud Platform (GCP): OpenShift 4.13 (GA) with AMD SEV-ES (tested on n2d-standard-8 instances).
- Microsoft Azure: OpenShift 4.14 (Technology Preview) with AMD SEV-SNP (tested on Standard_DC8ads_v5 instances).
No remote attestation support is available at this stage.

Phase 2 (Upcoming Enhancements)

Introduction of remote attestation capabilities to enable fully confidential clusters.
Expansion of support to additional cloud platforms.

Phase 3 (Future Developments)

Full support for confidential clusters on both Azure and GCP with AMD SEV-SNP and Intel TDX.

Red Hat’s continued investment in confidential computing aims to provide organizations with secure, flexible, and scalable cloud solutions while ensuring data privacy and regulatory compliance.

Stay tuned for further updates as we explore automation strategies for deploying confidential clusters using Red Hat Ansible Automation Platform.