Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Kris Sharma
on 2 May 2022

Confidential Computing and financial services cloud


Data security in the cloud – a business imperative

Cloud computing has been transforming financial IT infrastructure into a utility allowing financial institutions (FIs) to access computing resources on-demand letting FIs offload costs and effort of setting-up and managing their own on-premises infrastructure, improving agility and time to business value. As more and more financial institutions rely on hybrid cloud services, data security in the cloud is a business imperative.

Moving financial workloads from an on-premise setup to a public cloud infrastructure introduces a new attack surface with different risks. As the public cloud environment shares its hardware infrastructure, a flaw in the clouds’ isolation mechanisms can be detrimental to the protection of sensitive customer and financial data. The major public cloud environments tackle this by building their security following a defense-in-depth approach. Confidential Computing is an additional layer of security in this environment to keep data private even when a flaw is found in the other defense mechanisms.

Confidential Computing and financial services

Cloud providers offer financial institutions various encryption services to help protect data at rest (in storage and databases) and data in transit (moving over a network connection). But what about data security vulnerabilities for data in use (during processing or runtime)?

Confidential Computing solves this problem of isolating data and execution within a secure space. Confidential computing is an industry term defined by the Confidential Computing Consortium (CCC) – a foundation dedicated to defining and accelerating the adoption of confidential computing.

The CCC defines confidential computing as: The protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE). Using a section of the CPU as a sanctuary or enclave creates a TEE. A secure enclave is a memory and CPU-only environment that is isolated from and invisible to all other users and processes on a given host. 

Confidential computing is a privacy-enhancing technology that isolates sensitive data in a protected CPU enclave during processing and eliminates the remaining data security vulnerability by encrypting data while it is being processed in the system memory.

Financial institutions need to mitigate threats that target the confidentiality and integrity of either the application or the data in system memory. Confidential computing helps financial institutions to build a resilient and secure enterprise by ensuring data integrity and confidentiality, and code integrity. 

Within financial services, there are multiple business processes such as anti-money laundering, fraud-detection among many others that require financial institutions to share data with external parties. Confidential computing allows organisations to process data from multiple sources without exposing the input data to other parties.

Multiple financial institutions can share data with each other without exposing personal data of their customers. Organisations can run agreed-upon analytics on the combined sensitive data set. The analytics on the aggregated data set can detect the movement of money by one user between multiple banks, without the banks accessing each other’s data.

Through confidential computing, these financial institutions can increase fraud detection rates, address money laundering scenarios, reduce false positives, and continue learning from larger data sets. Confidential computing provides greater assurance to financial services industry leaders that their data in the cloud is protected and confidential, and encourages them to leverage cloud services even for use cases that rely on sensitive data and computing workloads.

Ubuntu and Azure Confidential Computing

While there are multiple solutions involving secure enclaves today, they often require specialised software to take advantage of them. On the other hand, the Microsoft Azure confidential VMs only require changes to the operating system and as such existing financial workloads can run without any change on a familiar environment like Ubuntu. That makes it one of the most promising technologies in Confidential Computing.

To realise this, Canonical Ubuntu provides you guest images that are optimised for confidential computing. It also secures your VM at rest and at boot time. Ubuntu 20.04 LTS is deeply integrated into public clouds and optimised for performance, security and ease of use. Ubuntu is the only Linux distribution supporting Azure Confidential VMs.

Azure’s confidential VMs deliver confidentiality between different cloud customers and also between customers and Azure operators. Hardware-level encrypted guest isolation, combined with measured boot and TPM-backed full-disk encryption in Ubuntu and Azure Managed HSM, customer code and data are encrypted in use, in transit, and at rest using encryption keys that are protected and can be controlled by the customer. Canonical has been an important partner in this effort, working closely with us to bring confidential computing innovations to our customers.

– Vikas Bhatia, Head of Product for Azure Confidential Computing

To try Ubuntu with Confidential Computing on Azure today, see this quick start guide from Microsoft. For production workloads, Canonical is making Ubuntu Pro images tailored for Confidential Computing available.

Ubuntu with Confidential Computing

Get in touch


Related posts


Canonical
19 November 2024

Canonical provides the ideal platform for Microsoft Azure IoT Operations

IoT Article

London, 19 November 2024. Canonical has collaborated with Microsoft as an early adopter partner and tested Microsoft Azure IoT Operations on Ubuntu Core and Kubernetes, which is notable as Microsoft today released Azure IoT Operations, a unified data plane providing significant improvements in node data capture, edge-based telemetry proce ...


Yash Aggarwal
4 November 2024

Join us for Microsoft Ignite

Ubuntu Article

The Canonical team is gearing up for the next big gathering at Microsoft Ignite 2024, which will take place from November 18 – 22, 2024. Get ready to dive deep into the latest conversations that will shape the future of cloud and open-source innovation. Expand and secure your Microsoft Ignite journey with a visit to ...


Kris Sharma
17 October 2024

Why is Ubuntu Linux the leading choice to replace CentOS for financial services?

Financial Services Article

Financial services are powered by technology. The customer experience is increasingly driven by data, with tailoring of products and services to reflect individual behaviors and preferences. All of this rests on a foundation of secure, stable technology that can support agility and flexibility to adapt to customer needs, whilst at the sam ...