Our last post demonstrated that confidential computing is the only model that answers today’s cybersecurity challenges. To recap, confidential computing protects data and applications by running them within secure enclaves to prevent unauthorized access. This protects data security, regardless of the vulnerability of the computing infrastructure. Now, we will look in detail at HUB Security’s multi-layered approach to harnessing the full benefits of confidential computing.

Essentially, HUB Secure compute is about completely isolating data from the outside world and can work in tandem with Intel Software Guard Extensions (SGX) and AMD SEV. Both create secure enclaves for data in use and enhanced access controls but are vulnerable to side-channel attacks. Side-channel attacks rely on information gained from implementing a computer system rather than weaknesses in the algorithm itself (e.g., cryptanalysis and software bugs). Time, energy consumption, electromagnetic leaks, and even sound can provide extra information, which can be exploited. Social engineering attacks, like phishing, are also not prevented by these technologies.

HUB Secure Compute is composed of four main components based on the guiding assumption that all systems have already been compromised rather than may one day be compromised.

Cyber Digital Twins

Digital twins use advanced technology to generate a perfect virtual copy of a system, updated with real-time data. Digital twins have multifold purposes but not least among them is to provide a perfect backup of the physical in case of damage caused by malicious activity. They can also constantly simulate attacks based on real-world experience and develop the appropriate protection response.

These simulations look at the sequence and results. If the results are valid and expected, the cyber twin transfers the communication to the actual system, eliminates the risks generally associated with unusual inputs and sequences, applications’ interfaces should only be exposed to the outside world to validate and verify appropriate communication exclusively. No other data is permitted into this secure computing environment.

Permission and Governance Policy Engine

The permission engine authorizes users and entities access to protected resources. Its purpose is to allow only a specific request/action, looking at normal traffic and irregular in terms of timing and volume. With stealth logging, we have created a fine-grained authorization system for the entire network and compute stack, from hardware to layer-7 applications. Moreover, the organization can prevent privileged abuse of advanced hacking techniques with governance rules such as approval workflows and velocity checks.

The approval workflows are configurable and allow the implementation of segregation of duties and 2 man rule concepts.

Cryptographic Engine

Essentially, a Cryptographic Engine operates as an internal high-security key manager (HSM) for each application and service by operating as a self-contained, redundant cryptographic module. It replaces box and board-level cryptographic devices and creates and manages key encryption and decryption services.

Physical Security of Hardware Box

Physical changes to the platform are detected and respond with an alert to complete the wiping operation. It provides comprehensive trust even at the edge. A factory will have security guards, alarms, and video surveillance. A mobile phone mast or electricity pylon might not have these.

Taken together, our Secure Computing solution offers world-class security. It provides seamless integration with existing systems and applications. This allows deployment with no interference with work processes and can be customized to your precise requirements. It runs on a separate execution platform, making it even more secure since your security solution is not hacked if the compute environment is hacked. At the same time, it is not a perimeter securities solution that can be bypassed.

The solution works in stealth mode and is invisible to the attacker and the applications, so there is no need to change current applications and architecture.