Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Ensuring the integrity of software isn’t easy. At one level or another, you have to place trust that a third party implements the necessary security controls to protect your data. Or do you?
Today, at Intel Innovation, Intel announced that health provider, Leidos, and professional services company, Accenture, are beginning to implement Project Amber, the organization’s verification service for cloud-to-edge and on-premises trust assurance.
Project Amber provides enterprises with a solution to independently verify the trustworthiness of computing assets throughout their environment.
Essentially, it provides enterprises with a solution they can use to help verify the integrity of the software supply chain to ensure that they aren’t using any computing assets or services that leave data exposed.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Restoring faith in the software supply chain
The release of Project Amber comes as more and more organizations are struggling to place trust in the security of third-party software vendors. Currently, only 37% of IT professionals feel very confident in the security of the supply chain.
While there are many reasons for this lack in confidence, a spate of supply chain attacks, starting with the SolarWinds breach in 2020, have highlighted that organizations can face serious exposure to risk if third-party vendors fail to secure their environments against threat actors.
One of the key technologies that has the potential to address supply chain security is confidential computing. Confidential computing has the potential to mitigate supply chain risks by encrypting data-in-use so that it’s not accessible to unauthorized third parties processing or transmitting the data.
“With the introduction of Project Amber at Intel Vision in May ’22, Intel is taking confidential computing to the next level in our commitment to a zero-trust approach to attestation and the verification of computing assets at the network, edge and in the cloud,” said Intel senior vice president, chief technology officer, and general manager of the software and advanced technology group (SATG), Greg Lavender.
Intel essentially combines zero-trust attestation with confidential computing to help enterprises verify the security of third-party cloud services and software.
How Leidos and Accenture are using Project Amber
At this stage, Leidos has a new Project Amber proof of concept that offers the potential to support its QTC Mobile Medical Clinics, where vans perform in-field medical exams and health information processing for U.S. veterans in rural areas.
In this instance, Intel’s solution provides additional security protections for internet of things (IoT) and medical internet of things (MIoT) devices that sit beyond the network’s edge.
In another part of healthcare, Accenture is integrating Project Amber into an artificial intelligence (AI)-based framework for protecting data. As part of this proof of concept, healthcare institutions can share data securely to build a central AI model trained to detect and prevent diseases.
With the AI models needing to be trained on data taken from multiple hospitals and then aggregated in a single location, Project Amber enables Accenture to run machine learning (ML) workloads across multiple cloud service providers within a secure trusted execution environment (TEE).
This TEE prevents sensitive information from exposure to unauthorized third parties and verifies the trustworthiness of computing assets including TEEs, devices, policies and roots of trust.
An overview of confidential computing approaches
Confidential computing services are picking up momentum due to their ability to prevent unauthorized users from viewing or interacting with the underlying code at rest and in use. According to Everest Group, the confidential computing market has the potential to grow to $54 billion by 2026, as organization’s need for data privacy grows.
Of course, Intel isn’t the only provider experimenting with confidential computing.
Fortanix helped to pioneer this technology and offers a Confidential Computing Manager that can run applications in TEEs, while offering other security controls such as identity verification, data access control and code attestation. Fortanix also announced raising $90 million in series C funding earlier this year.
Other providers like Google Cloud are also experimenting with confidential computing to encrypt data-in-use for confidential VMs and confidential GKE nodes to bolster the security of a wider cloud environment. Earlier this year, Google Cloud surpassed $6 billion in revenue during the second quarter of 2022.
However, what makes Intel’s approach unique is that most TEE’s are self-attested by individual cloud service providers and software vendors. In effect, a provider verifies that their own infrastructure is secure. This means enterprises have to trust that a vendor accurately verifies the security of their own systems. Instead, Intel acts as an impartial third party who can testify that another vendor’s or cloud service provider’s workload or TEE is secure for an organization to use.