Don’t Trust Opaque Clouds, Cryptographically Verify Instead!
Room B | Thu 22 Jan 10:45 a.m.–11:30 a.m.
Presented by
-
Dr Chris Butler is a Senior Principal Chief Architect in the Field CTO team at Red Hat. Chris made a fateful decision one day to say automatable and measurable security and compliance was important and someone listened.
After that day he’s been focused on working with clients to deliver to this mission in multi-tenanted and security sensitive environments.Today he works on:
Confidential computing technologies such as ConfidentialContainers and Trustee to help secure critical infrastructure
Working with Kubernetes networking to support multi-tenant environments.
Helping people have GPUs be something that are consumed on demand and not hoarded by developers.
He is a maintainer of CNCF’s OSCAL Compass, where he founded compliance-trestle loves the fact AI has made high performance computing cool again.
Dr Chris Butler is a Senior Principal Chief Architect in the Field CTO team at Red Hat. Chris made a fateful decision one day to say automatable and measurable security and compliance was important and someone listened.
After that day he’s been focused on working with clients to deliver to this mission in multi-tenanted and security sensitive environments.Today he works on: Confidential computing technologies such as ConfidentialContainers and Trustee to help secure critical infrastructure Working with Kubernetes networking to support multi-tenant environments. Helping people have GPUs be something that are consumed on demand and not hoarded by developers.
He is a maintainer of CNCF’s OSCAL Compass, where he founded compliance-trestle loves the fact AI has made high performance computing cool again.
Abstract
The principle of "Don't trust, verify" is fundamental, yet cloud computing often forces users to place implicit trust in opaque infrastructure and the organizations that audit the clouds. Now you have options to follow that principle.
Confidential computing provides a fundamental change in this paradigm: hardware based trusted execution environments (TEEs) allow the cryptographic isolation of a users workload from underlying infrastructure providers, and this isolation can be verified on demand using a remote attestation.
This talk will explain the fundamentals of confidential computing including TEE’s and how remote attestation can be used to verify the integrity of the TEE. After laying this foundation this talk will explore the overlapping projects in the ecosystem such as Trustee, Keylime, fs-verity, Confidential Containers; and what is required to assemble these projects in a way that allows you to cryptographic verify of your security posture.
A short demo will be shown of how remote attestation works within the confidential container (Kata Containers & Trustee) ecosystem. The talk will be completed with exploring how you build systems to obtain value from the cryptographic verification in confidential computing.
The principle of "Don't trust, verify" is fundamental, yet cloud computing often forces users to place implicit trust in opaque infrastructure and the organizations that audit the clouds. Now you have options to follow that principle.
Confidential computing provides a fundamental change in this paradigm: hardware based trusted execution environments (TEEs) allow the cryptographic isolation of a users workload from underlying infrastructure providers, and this isolation can be verified on demand using a remote attestation.
This talk will explain the fundamentals of confidential computing including TEE’s and how remote attestation can be used to verify the integrity of the TEE. After laying this foundation this talk will explore the overlapping projects in the ecosystem such as Trustee, Keylime, fs-verity, Confidential Containers; and what is required to assemble these projects in a way that allows you to cryptographic verify of your security posture.
A short demo will be shown of how remote attestation works within the confidential container (Kata Containers & Trustee) ecosystem. The talk will be completed with exploring how you build systems to obtain value from the cryptographic verification in confidential computing.