Confidential Computing
Confidential computing is a security paradigm that protects data while it is being processed by isolating computations within hardware-based Trusted Execution Environments (TEEs).
Last updated Apr 11, 2026Current
Continue your mission
Confidential computing is a security paradigm that protects data while it is being processed by isolating computations within hardware-based Trusted Execution Environments (TEEs).
# Confidential Computing
Confidential computing is a security paradigm that protects data while it is being processed by isolating computations within hardware-based Trusted Execution Environments (TEEs). Traditional encryption protects data at rest (stored) and data in transit (network), but data must be decrypted for processing, creating a vulnerability window. Confidential computing closes that gap by ensuring data remains encrypted and inaccessible even during computation, including from the cloud provider, hypervisor, and operating system.
Confidential computing relies on hardware-rooted security mechanisms provided by CPU manufacturers:
Intel SGX (Software Guard Extensions): Creates isolated memory regions called enclaves. Code and data inside an enclave are encrypted in memory and decrypted only inside the CPU. Even a compromised OS or hypervisor cannot read enclave memory.
Intel TDX (Trust Domain Extensions): Extends protection to entire virtual machines rather than individual enclaves. The hypervisor can manage VMs but cannot inspect their memory or state.
AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging): Encrypts VM memory with per-VM keys managed by the AMD Secure Processor. SNP adds integrity protection to prevent memory replay and remapping attacks.
ARM CCA (Confidential Compute Architecture): Introduces "Realms," isolated execution environments managed by a hardware-enforced Realm Management Monitor (RMM).
The workflow:
Cloud adoption creates a fundamental trust problem: you must trust the cloud provider with your unencrypted data during processing. Confidential computing eliminates this trust requirement. This is transformative for industries that handle regulated data (healthcare, finance, government) and for multi-party computation scenarios where organizations need to collaborate on data without exposing it to each other.
The Confidential Computing Consortium (CCC), hosted by the Linux Foundation, includes members like Intel, AMD, ARM, Google, Microsoft, and Red Hat. All major cloud providers now offer confidential computing services: Azure Confidential Computing, Google Cloud Confidential VMs, and AWS Nitro Enclaves.
For organizations bound by data residency or sovereignty requirements, confidential computing provides a technical mechanism to prove that data was processed in a controlled, verifiable manner, regardless of the physical infrastructure.
Confidential computing is a natural extension of CDA's Zero Possession Architecture (ZPA) within the Data Protection & Sovereignty (DPS) domain. ZPA's core principle, protect without possessing, aligns perfectly with confidential computing's guarantee that even the infrastructure operator cannot access processed data.
CDA's operational integration:
For clients in healthcare, finance, and government, confidential computing is not optional. It is the technical enforcement mechanism for data sovereignty claims. CDA helps clients move from "we promise we protect your data" to "here is the cryptographic proof."
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.