In this short video take, my colleague Daniel Newman and I discuss the differences between operational trust and technical trust. These two things form the basis of what Confidential Computing is really about.
Watch the clip:
To hear the entire conversation, check out the episode here.
Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Daniel Newman: So let’s revisit this, operational trust and technical trust, Shelly. I talked about it at the end. This is really, in my eyes, what confidential computing is all about.
Shelly Kramer: Yeah. And I think sometimes most of us don’t break these down in our heads, but operational trust is the thought that better and regular training, and stricter rules, and compliance and certification, all of those things, those things are important. We’ve worked with many clients in the space of providing training and compliance and all that sort of thing. Those things are important. But today, operational trust alone is not enough. And so then we’ll shift and talk about technical trust, and that’s really where we need to head.
Technical trust is the focus on removing people from the security equation and deploying technology solutions rather than the training, and the processes, and the compliance, and the certification. And the industry as a whole needs the ability to make it possible to run applications on somebody else’s computer, but where the owner of the computer can’t influence or observe what’s happening. It sounds kind of weird, I know, but this can be achieved through the deployment of technology that has no reliance on human intervention. And that’s really what we’re talking about when we’re talking about confidential computing, and what we’re talking about when we look at what’s the next gen of security protection for organizations.
Daniel Newman: Yeah, absolutely. And the genesis of all this is, as we’ve moved to Cloud, companies have had to rethink who can access the data, and how they’re able to access the data, and why they need to access the data. If you think about some of the biggest threat surfaces inside of an organization, it’s often people.
Shelly Kramer: Right.
Daniel Newman: And you talked about that with operational assurance, Shelly, but oftentimes the people have the capacity, because they’re administrators of the systems, to also be able to view or extract or take a snapshot of an application and the data, and that data can get migrated. It’s like anytime you have a PC that’s company owned and data has been sent around, oftentimes it’s sent around in an application.
But we often say, let’s download the CSV, we want to manipulate this data, play with this data. Well, all of a sudden this data is no longer in the secured environment, it’s now on someone’s machine.
Shelly Kramer: Right.
Daniel Newman: And administrators often have no reason to need to look at data, especially if you think about it in some highly regulated type spaces where you have things like credit card and financial data, you have HIPAA type data, and so we’ve had to build more hardened systems. But confidential computing as a whole, I guess we’ve talked around it a lot, but it really comes down to the ability to protect data in kind of all three states, right? We’ve got data at rest, you got data in transit, and we’ve gotten pretty good at that in terms of protecting it. But what about when data is being used in an application, and being able to manage it in all three states? That’s a pretty big problem.