Confidential computing is a technology that protects data in use, and we have now upgraded our solution by moving all our processing of customers’ data to servers built on this principle. In this article, we will go into the details about confidential computing and how it answers to the issues of processing personal data in the public cloud, but for those of you who only want the short story, here is a summary that provides essence:
With confidential computing, we ensure that your data is fully protected, also from the host system (the cloud provider), when in use. Combined with traditional encryption technologies that protect the data when it is stored and during transit, the data is protected in all stages, and the last “gap” of data protection in cloud environments is thereby closed.
This also addresses an emerging and important compliance requirement. Confidential computing has become particularly relevant for GDPR compliance after the Schrems II ruling. With confidential computing implemented, you can use Ledidi Core also for identifiable personal data in compliance with GDPR.
Confidential computing is defined as state-of-the-art technology by EU’s cybersecurity agency.
All the technologies we use are certified through CISPE, meaning they have been evaluated by a neutral third party and found to satisfy the regulatory demands for storing and processing personal data. The CISPE Code specifically requires that the IaaS provider shall provide the ability to use the service to store and process data entirely within the EEA, meaning the use of such services does not have to be assessed as a transfer out of the EEA (GDPR chapter 5).
We are proud to be in front offering this state-of-the-art technology at scale to all our users and customers.
What is confidential computing?
Traditionally, infrastructure service providers have offered encryption services that protect data at rest (in storage and databases) and in transit (moving over a network connection), thereby protecting it from unauthorised access in these phases. Data can not be encrypted while they are in use, and this has left a vulnerability where the data can be accessed “in the clear” while being processed. Traditionally, the risk of unauthorised access has been mitigated by legal agreements and organisational measures. However, for processing sensitive data, this may represent an unacceptable reliance on non-technical measures that do not reach the required level of protection.
By introducing confidential computing, data is now also protected while in use (during processing or runtime). Using this technology, the computation is performed in a hardware-based, attested Trusted Execution Environment (TEE), which prevents all unauthorised access or modification of code and data while in use. Because the protection mechanisms are built into the system itself (hardware-based), they can not be tampered with or bypassed by any means. These secure and isolated environments execute the code and isolate and protect both the code and the data from the host system (including the host system’s software and personnel, regardless of the level of privilege). The contents of the TEE are accessible only to the authorised programming code running within the TEE, and the code and data are invisible, inaccessible and unknowable to any personnel or system in the host infrastructure.
This technology is now implemented in the system architecture of Ledidi Core so that all processing of user content (the data that you store or process on Ledidi Core) is performed within a trusted execution environment.
Confidential computing and the Schrems II ruling
The potential access to customer data during processing by cloud infrastructure providers from third countries (e.g. USA) was identified as a privacy compliance issue following the Schrems II ruling as it represents a way for authorities to demand and obtain access to personal data.
In its July 2020 Schrems II judgement, the Court of Justice of the European Union (CJEU) declared the European Commission’s Privacy Shield Decision invalid on “account of invasive US surveillance programmes, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal” (ref).
This affected all transfers of personal data from the EEA to the USA, including the use of American public cloud providers. Even though the cloud providers used data centres in the EEA, the fact that the provider itself was subject to US law posed a risk that they would be asked (and forced) to hand over data to US surveillance authorities. As long as the cloud provider had the possibility to access such data in the clear, contracts and agreements with customers could not protect against this kind of legal demands from the cloud provider’s authorities.
In its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, EDPB recommends measures to protect data in use to prevent the cloud service provider from accessing “data in the clear” (Use Case 6). At the time, it was unclear how this data protection requirement could be met:
“...considering the current state of the art, (the EDPB is) incapable of envisioning an effective technical measure to prevent that access from infringing on the data subject’s fundamental rights. The EDPB does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear.”
However, the “further technological development” foreseen by the EDPB manifested itself shortly thereafter. The technological capabilities of confidential computing were no secret, but it had not yet been recognised by the EU's cybersecurity agency (ENISA) as “state of the art” in GDPR terms fulfilling the legal IT security protection requirements.
New state-of-the-art guidelines
In September 2021, a couple of months after EDPBs recommendations on supplementary measures were published, ENISA published a new version of “Guideline on “State of the art” - Technical and organisational measures”.
The term “state of the art” is used in both articles 25 and 32 of the GDPR, and in several EDPB guidelines, including the recommendations on supplementary measures. The guideline is intended to provide concrete advice and recommendations for actions, to assist in determining the "state of the art" within the meaning of the GDPR, and to provide the content demanded by the GDPR.
In these guidelines, confidential computing was defined as state-of-the-art technology to protect data in use, stating that: “Confidential computing allows data to be processed in central infrastructures without exposing them to the possibility of being read by the operators of these central infrastructures, and offers users more control and, depending on the audit, also transparency”. Confidential computing also “offers new degrees of freedom, as new applications are conceivable that could not be implemented in a legally compliant manner under conventional data protection and security considerations”.
In conclusion, confidential computing is the technical supplementary measure required for Use Case 6.
A general strengthening of security
But the issue addressed by confidential computing is more profound than the focus in the Schrems II ruling and GDPR itself. It pinpoints the trust all customers of cloud providers must put in their vendor, namely that they do not disclose or inappropriately access any data. This element of trust has always been the Achilles’ heel of public cloud computing.
As long as there is a possibility that the cloud provider may access and read data, there will be some level of uncertainty. As data is not fully protected from the cloud operator, other malicious actors may use this as a point of access if they successfully breach the other defence barriers that have been put in place. Confidential computing, therefore, increases the general level of data security in the system. In addition to protecting the data, it also protects the code being used to process the data. Moving towards AI and complicated processing, protecting the code itself from malicious interference will be just as imperative as protecting the data.
There are numerous reasons why almost all businesses within all sectors move their operations to public cloud services. Compared to most on-premises environments, the public cloud offers better services, scalability, cost efficiency and accessibility. The security is easier to maintain and is significantly improved in well-designed cloud environments, where security protocols and encryption are built into the entire infrastructure by default. Continuous software updates and market-leading hardware makes it hard to compete with the leading cloud providers, such as Amazon Web Services and Microsoft Azure. With confidential computing in place, businesses and organisations can take advantage of the benefits of moving to the cloud without being constrained by compliance and data security issues, even when sensitive data is to be processed.
What does it imply for our users?
To ensure privacy compliance, we have until now recommended our users to pseudonymise data before uploading or entering them in Ledidi Core. Pseudonymisation is listed as one of the supplementary measures that can be used for third-country transfers by EDPB. Pseudonymisation is also a gold standard within research, used to protect the privacy of human research participants, both from a compliance perspective (data minimisation) and in line with established scientific standards. However, when data is used for purposes more closely related to the clinic (e.g. clinical audit), it may be a need to be able to identify patients directly. With confidential computing, organisations can trust that the data is protected in compliance with GDPR also when storing and processing directly identifiable personal health information.
Certified technologies
For all processing and storage of user content in Ledidi´s solutions, we exclusively use AWS infrastructure services verified as compliant with the CISPE Code of Conduct for Data Protection.
Cloud Infrastructure Providers in Europe (CISPE) is a non-profit trade association for infrastructure as a service ("IaaS") cloud providers in Europe. CISPE works to promote cloud certification and industry standards that foster innovation and cloud adoption, and to protect privacy and fundamental rights by ensuring GDPR compliance.
The CISPE Code of Conduct for Data Protection (the CISPE Code) was formally approved by EDPB in May 2021 and ratified by French data protection authority CNIL in June 2021, acting on behalf of the 27 data protection authorities across Europe.
The CISPE Code is in accordance with the GDPR articles 40 and 41 and is clarifying relevant GDPR requirements for IaaS providers acting as data processors or sub-processors. Compliance with the code can be used to demonstrate compliance with the requirements in GDPR article 28.
In relation to third-country transfers, the CISPE Code specifically requires that the IaaS provider "shall provide the customer the ability to choose to use the service to store and process its data entirely within the EEA, thereby avoiding the application of the GDPR rules governing the transfer of personal data outside the EEA". This means chapter 5 about transfer to third countries does not apply, and the use of such services does not have to be assessed as a transfer out of the EEA.
By using CISPE-certified technologies when building our solutions, we can be sure Ledidi Core satisfy the regulatory demands for storing and processing personal data.
At Ledidi, we are committed to always make use of state-of-the-art technology when building our solutions. We are constantly monitoring the market for best practices and state-of-the-art technologies that help us enforce security and privacy on behalf of our customers. We will always work to improve our solutions and find new ways to make sure the privacy of those contributing with sensitive health data is protected at the highest level.
