What is confidential computing?

Attackers aren’t solely interested in your data when it’s at rest or in transit; they also really want data being processed. Confidential computing is seen by many as the answer, but what is it?

What is confidential computing?

To understand confidential computing, you first need to define the three types of data states. Data at rest is when it’s being stored. Data in transit is when it’s moving across the network. And data in use is that which is being processed.

Confidential computing is designed to protect data in use.

It has become commonplace to encrypt data at rest and in transit, which leaves data in use at risk of compromise. This is because, when in use, data is left unencrypted within memory (RAM) and necessarily available to everything from applications to operating systems. But what if any of those are compromised? What if malware gets access to data in memory?

Confidential computing builds a hardware barrier by creating a enclave to isolate it during any processing. These secure enclaves can be found within the cloud, although smartphones and laptops increasingly employ their own versions.

Who needs confidential computing?

Although confidential computing is essential within the finance and healthcare sectors, the truth is that every sector, every user, needs it given today’s threat landscape. If you care about the privacy and security of your sensitive data, you need confidential computing. That applies to individuals at the consumer level, just as it does to the biggest organisations.

Why does confidential computing matter?

A wake-up call regarding the exposure of unencrypted data in memory came in 2017. Critical modern processor vulnerabilities, Meltdown and Spectre, gave attackers the ability to access data in memory, including passwords. These affected personal computers, smartphones, and cloud infrastructure alike.

Confidential computing isn’t a silver bullet against all exploits and certain attack methodologies. For example, the methodology used with Spectre isn’t prevented. But it does make them much harder to accomplish.

With evermore organisations doing business in the cloud, confidential computing eases the security fears of migrating sensitive applications there. In other words, it’s the final piece of the privacy and security puzzle when it comes to cloud infrastructures.

How does confidential computing work?

The key to confidential computing is a trusted execution environment (TEE) where data is stored. The cloud-based TEE creates a secure enclave within the central processing unit, isolating data, and even whole applications, from the operating system and the underlying hardware.

Although there are multiple different methods of achieving confidential computing, depending upon the vendors concerned, the basics of a TEE, a hardware-based architecture, remain a constant.

While data is being decrypted during processing, the TEE ensures that it remains invisible. That’s invisible to all other resources, operating systems, cloud providers, and so on. Because only properly authorised code can access the data, any tampering triggers the TEE to cancel the processing operation.


  • Data is routinely encrypted at rest and in transit, but when in use, it has to be unencrypted. 
  • Unencrypted data during processing leaves a viable target for attackers. 
  • Confidential computing creates a secure, hardware-based enclave for such data. 
  • This trusted execution environment (TEE) renders data invisible while in use. 
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.