Safeguard
Industry Analysis

Introduction to confidential computing and hardware-based...

Confidential computing seals data in use inside hardware-encrypted enclaves, closing the last gap in the encrypt-everywhere model. Here's how it works.

James
Principal Security Architect
8 min read

Every major cloud breach post-mortem of the last decade converges on the same finding: data was encrypted at rest, encrypted in transit, and then decrypted in plaintext the moment it reached memory—exactly where an attacker with root access, a hypervisor exploit, or a malicious insider was waiting. Confidential computing closes that gap. It uses hardware-isolated enclaves built into modern CPUs to keep data encrypted even while it is being actively processed, extending the "encrypt everywhere" principle to the one place it never used to reach: RAM.

For software supply chain security teams, this matters more than it sounds. Build servers, CI/CD runners, and artifact signing services all hold secrets in memory during execution—API keys, private signing keys, source code. Confidential computing gives organizations a hardware-backed way to protect that runtime data from compromised infrastructure, not just compromised disks.

What Is Confidential Computing?

Confidential computing is a security model that isolates and encrypts data while it is being processed in memory, using hardware-based trusted execution environments (TEEs) rather than software controls alone. The concept formalizes what security architects call "data in use" protection—the third leg of a stool that already had data-at-rest and data-in-transit encryption standardized for years. A TEE is a physically isolated region of a processor's memory, sealed off by the CPU itself, where code and data remain encrypted and inaccessible to the operating system, hypervisor, cloud provider, or even a system administrator with root privileges.

The technology isn't new in concept—Intel introduced Software Guard Extensions (SGX) in 2015, followed by AMD's Secure Encrypted Virtualization (SEV) in 2016 and Arm's Confidential Compute Architecture (CCA) more recently—but adoption accelerated sharply once the major hyperscalers productized it. Microsoft Azure launched confidential computing VMs in 2020, Google Cloud shipped Confidential VMs the same year, and AWS followed with Nitro Enclaves. What used to be a niche capability for defense and financial-services workloads is now a checkbox option in every major cloud console.

How Does Encrypted Memory Processing Actually Work?

Encrypted memory processing works by generating encryption keys inside the CPU itself, so plaintext data never exists outside the processor boundary—not in RAM, not on disk, not visible to the hypervisor. When a workload runs inside a TEE, the processor encrypts memory pages on the fly using keys that are generated and stored in dedicated hardware registers, inaccessible to any software layer above the chip, including the operating system kernel. Even a fully compromised host OS or a malicious cloud administrator with hypervisor access sees only ciphertext.

This is enforced through a mix of memory encryption engines and attestation. Before sensitive data is released to an enclave, the enclave must cryptographically prove to a remote party—a technique called remote attestation—that it is running unmodified, approved code on genuine hardware. AMD SEV-SNP, for example, adds integrity protection on top of encryption so an attacker can't just replay or splice encrypted memory pages to tamper with execution. Intel's TDX (Trust Domain Extensions), the SGX successor aimed at whole-VM confidentiality, extends this to entire virtual machines rather than small enclave regions, addressing one of SGX's biggest early limitations: enclave memory was originally capped around 128–256MB, too small for many real workloads.

What Is the Confidential Computing Consortium, and Why Does It Matter?

The Confidential Computing Consortium (CCC) is a Linux Foundation project launched in 2019 to standardize TEE technology and prevent the market from fragmenting into incompatible, vendor-locked implementations. Founding members included Alibaba, Arm, Baidu, Google, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent—a deliberately cross-competitive lineup, since Intel, AMD, and Arm all compete on silicon while Google, Microsoft, and Alibaba compete on cloud. By 2023 the CCC had grown to more than 40 member organizations and had shipped open-source projects such as Open Enclave SDK, Gramine, and Confidential Containers, which let developers build TEE-aware applications without hand-rolling attestation logic for each hardware vendor separately.

The consortium's most cited contribution is arguably definitional: it published the industry's reference definition of confidential computing as protection of "data in use" via hardware-based TEEs, which analysts and vendors now use consistently instead of describing the same technology with five different names. That standardization is part of why Everest Group's widely referenced 2021 market analysis projected the confidential computing market growing from roughly $2 billion in 2021 to as much as $54 billion by 2026—a forecast that assumed exactly the kind of cross-vendor interoperability the CCC was built to produce.

Why Does Data-in-Use Encryption Matter for Software Supply Chains?

Data-in-use encryption matters for software supply chains because the moments of highest exposure—key generation, code signing, dependency resolution, build execution—all happen in memory, not on disk. A SolarWinds-style attacker who gains access to a build pipeline isn't reading encrypted files off a hard drive; they're hooking into a running process to exfiltrate signing keys or inject malicious code at compile time. Traditional encryption does nothing to stop that, because by definition the data has to be decrypted in memory for the build to run at all.

Placing CI/CD runners, artifact signing services, and secrets managers inside TEEs means that even a compromised host kernel or a malicious co-tenant on shared cloud infrastructure cannot read the private keys or source code being processed. Combined with remote attestation, a downstream consumer can cryptographically verify that a given artifact was built inside a specific, unmodified enclave configuration—turning "trust me, our build server is secure" into a verifiable, hardware-rooted claim. This is precisely the gap that frameworks like SLSA (Supply-chain Levels for Software Artifacts) try to address at the provenance layer; confidential computing addresses it at the execution layer underneath.

Which Industries Are Adopting Confidential Computing Today?

Financial services, healthcare, and multi-party data collaboration are the three sectors where confidential computing has moved fastest from pilot to production. Banks use it for confidential multi-party fraud analytics—several institutions can jointly analyze transaction patterns across organizational boundaries without any party seeing the others' raw data, a capability Microsoft has productized through Azure confidential computing partnerships since 2021. Healthcare organizations use TEEs to run genomic and clinical analysis on sensitive patient data in shared cloud environments while satisfying HIPAA's technical safeguard requirements, since the cloud provider itself is architecturally prevented from viewing the underlying data.

Government and defense workloads were early adopters for obvious reasons, but the more interesting recent trend is confidential AI: enterprises training or running inference on proprietary models want assurance that the cloud vendor hosting the GPU cannot see model weights or the prompts flowing through them. NVIDIA's H100 GPUs added confidential computing support in 2023 specifically to meet this demand, extending TEE protection from the CPU down into the accelerator itself—a signal that confidential computing is becoming a default expectation for any workload handling regulated or proprietary data, not a specialty tool.

What Are the Limits of Confidential Computing?

Confidential computing protects data during processing, but it doesn't replace the rest of a security program—it closes one specific gap. It doesn't stop supply chain attacks that inject malicious code before the workload ever reaches the enclave, it doesn't validate that the code running inside the TEE is trustworthy in the first place (that's what attestation and provenance verification are for), and it historically came with real performance overhead—SGX enclave transitions and memory encryption can add single-digit to double-digit percentage latency depending on workload, though newer VM-level approaches like SEV-SNP and TDX have narrowed that gap considerably.

There have also been documented side-channel vulnerabilities against early TEE implementations—researchers demonstrated cache-timing and speculative-execution attacks against SGX enclaves multiple times between 2018 and 2021—which is why hardware vendors have iterated through several generations of mitigations rather than treating the first implementation as final. The practical takeaway for security teams is that confidential computing is a strong additional control, best layered with attestation, provenance tracking, and conventional access controls, not a silver bullet deployed in isolation.

How Safeguard Helps

Safeguard's software supply chain security platform is built around the same principle underlying confidential computing: trust should be verifiable, not assumed. Where confidential computing uses hardware attestation to prove a workload is running unmodified code, Safeguard extends that verification across the entire build and delivery pipeline—tracking artifact provenance, verifying signatures, and flagging tampering or drift between source and deployed binaries, including for organizations already running builds inside TEEs on Azure, AWS, or Google Cloud.

For teams adopting confidential computing to protect signing keys and build secrets in memory, Safeguard adds the layer above the hardware: continuous monitoring of dependency integrity, SBOM generation and verification, and policy enforcement that confirms an artifact's chain of custody matches its attested build environment. The result is defense in depth that spans both ends of the problem—hardware-enforced data-in-use protection during execution, and cryptographic provenance verification across the software supply chain that consumes the output. Organizations don't have to choose between securing the infrastructure and securing the pipeline; Safeguard is designed to make both verifiable from the same evidence trail.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.