[00:00.000 --> 00:13.120]  First session, and I wanted to explain a bit more, give an overview of the fields, right,
[00:13.120 --> 00:15.040]  for those learning.
[00:15.040 --> 00:17.480]  So I'm Nick Vidal.
[00:17.480 --> 00:23.080]  Part of the Anarchs Community Manager at Anarchs, it's part of the Confidential Computing
[00:23.080 --> 00:24.080]  Consortium.
[00:24.080 --> 00:25.720]  It's an open source project.
[00:25.720 --> 00:29.800]  I'm also serving as the chair of the Outreach Committee from the Confidential Computing
[00:29.800 --> 00:33.800]  Consortium, and it's a pleasure to be here.
[00:33.800 --> 00:39.680]  So let's start out with talking about the states of data protection.
[00:39.680 --> 00:40.920]  This is very basic.
[00:40.920 --> 00:49.320]  I mean, everybody knows about protecting data arrests, protecting data in transit, but now
[00:49.320 --> 00:53.680]  protecting in use, this is something that is relatively new.
[00:53.680 --> 00:56.960]  So what exactly is protecting data arrests?
[00:56.960 --> 01:04.560]  When you have your hard drive encrypted, your laptop, your traveling, you get lost, that
[01:04.560 --> 01:11.760]  data is safe as long as your hard drive is encrypted and nobody can get in there.
[01:11.760 --> 01:18.880]  In transits, when you open up your browser and you just type HTTPS and you access some
[01:18.880 --> 01:26.240]  website, the data that's flowing between your browser and the server, if that's using HTTPS,
[01:26.240 --> 01:31.160]  that's encrypted and nobody can tamper into that data.
[01:31.160 --> 01:32.160]  That's secure.
[01:32.160 --> 01:40.720]  However, there's a third way that the data can also be accessible, and that's directly
[01:40.720 --> 01:41.720]  on the CPU.
[01:41.720 --> 01:52.880]  This is something that people mostly are not aware of, developers, even security professionals,
[01:52.880 --> 02:01.920]  and they are not aware that when you have some type of application or data running at
[02:01.920 --> 02:08.520]  the CPU in memory, if for some reason that system is compromised, somebody can get access
[02:08.520 --> 02:11.200]  to that data.
[02:11.200 --> 02:16.880]  Suppose that there's an exploits, somebody gains root access, they'll be able to see
[02:16.880 --> 02:26.120]  what's in memory, and conflict computing allows you to encrypt data while in use, while in
[02:26.120 --> 02:27.120]  the CPU.
[02:27.120 --> 02:35.240]  Even if somebody breaks down, even if somebody gains access, roots access to that system,
[02:35.240 --> 02:40.840]  they won't have access to that data because it's just like the hard drive example.
[02:40.840 --> 02:49.360]  It's just like the data in transit example.
[02:49.360 --> 02:57.280]  Confidential computing protects data and the codes, both confidentiality and integrity.
[02:57.280 --> 03:05.240]  Confidentiality means you cannot actually read the data, and integrity, you cannot
[03:05.240 --> 03:11.040]  mess up a tamper with that data or with that code.
[03:11.040 --> 03:18.960]  For conflict computing to have, to achieve conflict computing, you have to at least provide
[03:18.960 --> 03:25.480]  data confidentiality, data integrity, and codes integrity.
[03:25.480 --> 03:29.680]  How about codes confidentiality?
[03:29.680 --> 03:34.960]  As part of the conflict computing consortium's definition of conflict computing, that's not
[03:34.960 --> 03:46.000]  necessary, but some projects like the NRX projects, we provide that, all those protections.
[03:46.000 --> 03:52.760]  This is the official definition by the conflict computing consortium, conflict computing protects
[03:52.760 --> 04:19.640]  data in use by performing computation in a hardware-based, attested, trusted...
[04:19.640 --> 04:21.840]  Manage sensitive and regulated data.
[04:21.840 --> 04:30.480]  I wanted to read that because the CCC worked, a whole bunch of group of people worked together
[04:30.480 --> 04:39.240]  during one year to define this definition and another year to add one word, attested.
[04:39.240 --> 04:44.960]  I wanted to read very clearly to make this definition, so I wouldn't make a mistake,
[04:44.960 --> 04:45.960]  right?
[04:45.960 --> 04:51.760]  I don't want to memorize and forget something.
[04:51.760 --> 04:57.560]  What's conflict computing, what's the case study, where can it be used?
[04:57.560 --> 05:04.240]  Actually it has many uses, right now we have some sectors that are very much regulated,
[05:04.240 --> 05:11.760]  they have a lot of sensitive data, and in fact they cannot use the clouds as of today.
[05:11.760 --> 05:19.440]  They simply can't, policies won't allow them to benefit from the clouds.
[05:19.440 --> 05:23.960]  So we have for example banking, financial services, insurance, of course they have a
[05:23.960 --> 05:27.320]  lot of sensitive financial data.
[05:27.320 --> 05:35.800]  We also have healthcare, there's the HIPAA, for example in the US it's a regulation regarding
[05:35.800 --> 05:37.520]  healthcare.
[05:37.520 --> 05:45.080]  We have telecom, Edge, IoT, governments, a whole bunch of sectors that currently do
[05:45.080 --> 05:50.960]  not use the clouds because they can't, because they have a lot of sensitive data, because
[05:50.960 --> 05:55.000]  it's very much regulated by governments, policies.
[05:55.000 --> 06:05.240]  So conflict computing will open the clouds, the IoT, the Edge to these sectors, they have
[06:05.240 --> 06:12.840]  a lot of sensitive data, and that's the huge potential of this technology.
[06:12.840 --> 06:21.000]  If we can open up this, the clouds to these sectors, you'll grow a lot.
[06:21.000 --> 06:26.640]  That's why, one of the reasons why cloud service providers are currently, this year and this
[06:26.640 --> 06:34.440]  past year, they have offered conflict computing and this is going to grow immensely.
[06:34.440 --> 06:42.600]  So I talked about the conflict computing consortium, we are part of the Linux foundation,
[06:42.600 --> 06:51.120]  so we bring together hardware vendors like Intel, AMD, ARM, NVIDIA, cloud service providers
[06:51.120 --> 07:02.120]  like Azure, Google Clouds, and so many others, startups as well, and software developers.
[07:02.120 --> 07:07.000]  We have a whole bunch of members here, as you can see, all the major players are betting
[07:07.000 --> 07:17.680]  on this, because in some ways, this is the future of the clouds in terms of security,
[07:17.680 --> 07:21.940]  and currently we have seven open source projects.
[07:21.940 --> 07:28.480]  We invite as many open source projects, if you are working with conflict computing and
[07:28.480 --> 07:32.680]  you have a nice project, we welcome you to the CCC.
[07:32.680 --> 07:39.920]  So I work at the Anarchs, but we have Grammy, we have Veracruz, Verasome, a lot of very
[07:39.920 --> 07:45.400]  great technology here, which is fully open source.
[07:45.400 --> 07:52.120]  Now let's step back and look at the Let's Encrypt movement.
[07:52.120 --> 07:59.280]  Not many people are aware of conflict computing and its importance of protecting data while
[07:59.280 --> 08:01.280]  in use.
[08:01.280 --> 08:08.840]  If we go back 10, 15 years ago, that was the same challenge that we had regarding protecting
[08:08.840 --> 08:11.680]  data in transits.
[08:11.680 --> 08:19.520]  People were like, hey, I'm not an e-commerce, I'm not like a bank, or why should I use HTTPS?
[08:19.520 --> 08:24.400]  We kind of left right now, hey, HTTPS is just the default, right?
[08:24.400 --> 08:25.400]  It's very easy.
[08:25.400 --> 08:29.000]  Why we shouldn't have this as the default?
[08:29.000 --> 08:34.800]  Even from whatever, you have your own blog, it doesn't have any sensitive data, but even
[08:34.800 --> 08:40.160]  so, you're going to use HTTPS because it's easy, it's convenient, and it's just more
[08:40.160 --> 08:41.880]  secure.
[08:41.880 --> 08:51.080]  This same mindset is what we need, and what we need to change for people to start really
[08:51.080 --> 08:56.320]  thinking about data in use, of protecting data in use, and it will make everything so
[08:56.320 --> 08:58.320]  much secure.
[08:58.320 --> 09:07.360]  It doesn't matter if your system gets hacked, if everyone has roots access to it, even so,
[09:07.360 --> 09:11.360]  it's not game over, your data is still secure.
[09:11.360 --> 09:19.080]  We hear in the news all the time about all the vulnerabilities, and this could have been
[09:19.080 --> 09:24.280]  prevented by using conflict computing.
[09:24.280 --> 09:34.440]  So Lens Encrypt, it was started in 2012 by four people, two from Mozilla, one from the
[09:34.440 --> 09:38.840]  Electronic Frontier Foundation, and from the University of Michigan.
[09:38.840 --> 09:47.720]  It's the world's largest certificate authority, it provides free TOS encryption, and the Goish
[09:47.720 --> 09:52.600]  really make the web safer using HTTPS.
[09:52.600 --> 09:58.920]  They have a lot of sponsors and partners, as I mentioned, you're part of the Lens Foundation
[09:58.920 --> 10:05.600]  helps them, is a partner, also the Mozilla Foundation, EFF, there's a whole group of
[10:05.600 --> 10:13.280]  people that see the importance of having HTTPS by default today.
[10:13.280 --> 10:20.400]  What makes it possible is that they have developed software that's very easy to use that makes
[10:20.400 --> 10:27.880]  it just, it's a very easy process to enable HTTPS.
[10:27.880 --> 10:38.960]  So they have the ACMA protocol, and they have those who have provided open up search bots,
[10:38.960 --> 10:46.400]  you know what that is, that's the Python application that creates a certificate rights, and on
[10:46.400 --> 10:48.760]  the server side they have Boulder.
[10:48.760 --> 10:55.840]  And these technologies, this software, and this protocol, they make it really easy to
[10:55.840 --> 11:00.920]  achieve HTTPS by default.
[11:00.920 --> 11:06.320]  So I'm not sure if you can see really well here, the contrast is not really good, but
[11:06.320 --> 11:09.240]  you can see the growth here.
[11:09.240 --> 11:10.240]  So this is the-
[11:10.240 --> 11:14.320]  It's quite well on the stream if you happen to have a device.
[11:14.320 --> 11:25.280]  So this is the start of the project, I can't actually see the ears here, but as you can
[11:25.280 --> 11:31.120]  see it's growing right, it has grown a lot, especially here, I'm not sure what happened
[11:31.120 --> 11:44.280]  here, but this is how many certificates they have given rights, and so it's very successful
[11:44.280 --> 11:52.720]  Let's Encrypt is one of the most successful achievements to help secure the web.
[11:52.720 --> 11:55.920]  And how did they accomplish this?
[11:55.920 --> 12:02.560]  What can the Confidential Computing community learn from the Let's Encrypt movements?
[12:02.560 --> 12:09.240]  So here are some key ideas that I thought about, but you can also explore this, and
[12:09.240 --> 12:12.040]  this can be an open discussion as well.
[12:12.040 --> 12:20.680]  So first of all, make a campaign that brings this awareness around the importance of encrypting
[12:20.680 --> 12:28.680]  data while in use, the same way that Let's Encrypt did this for data in transits.
[12:28.680 --> 12:32.200]  For us, HTTPS is just the default way.
[12:32.200 --> 12:35.160]  We can't think of any other way of doing this.
[12:35.160 --> 12:41.800]  Why would we use HTTPS only, right, even for a blog or whatever?
[12:41.800 --> 12:45.160]  It just makes sense.
[12:45.160 --> 12:52.640]  So adoption by TES, by Cloud Service Providers, this is happening right now, so all the major
[12:52.640 --> 12:59.240]  Cloud Service Providers are really making this available, generally available, and they
[12:59.240 --> 13:04.720]  should, they're a bit expensive right now, but they should become more affordable in
[13:04.720 --> 13:06.840]  the future.
[13:06.840 --> 13:12.960]  Of course, all the hardware developers, they have made the technologies available.
[13:12.960 --> 13:20.520]  So Intel, ARM, ARM is still going to release this, but you have AMD as well.
[13:20.520 --> 13:27.160]  They have invested a lot, sometimes even a decade, right, in terms of Intel SGX.
[13:27.160 --> 13:31.960]  We have to develop software that makes it really easy to deploy computer computing.
[13:31.960 --> 13:40.720]  So one of the projects is NRX, we make it really easy, we use WebAssembly to allow developers
[13:40.720 --> 13:47.320]  to deploy applications, and it's really nice if you want to check that out.
[13:47.320 --> 13:52.080]  We have to abstract the complexities, complex computing is really complex.
[13:52.080 --> 13:59.200]  You have to know about encryption, you have to learn about attestation, about the different
[13:59.200 --> 14:06.840]  models that exist to achieve computer computing, and the software has to abstract all those
[14:06.840 --> 14:13.360]  complexities if you want to gain a market share, right?
[14:13.360 --> 14:21.480]  It has to be CSP neutral, it has to be hardware neutral, preferably the developer doesn't have
[14:21.480 --> 14:26.920]  to know if his application is going to run on AMD or Intel or whatever.
[14:26.920 --> 14:31.960]  But it just should work, he's going to deploy this application and complex computing will
[14:31.960 --> 14:39.720]  just, everything will be encrypted and he doesn't have to care about attestation or whatever.
[14:39.720 --> 14:44.400]  Just works, just like let's encrypts.
[14:44.400 --> 14:48.320]  Promotes open source software, I believe open source plays a very important role here, and
[14:48.320 --> 14:54.320]  the complex computing consortium has this as part of its mission to promote open source
[14:54.320 --> 15:00.000]  software, that's why we adopted setting open source projects here.
[15:00.000 --> 15:07.280]  We have to make it affordable, and right now it's very niche, but we have to see that maybe
[15:07.280 --> 15:11.520]  in five years, this is just going to be the default way, right?
[15:11.520 --> 15:15.520]  And maybe eventually it might even be free.
[15:15.520 --> 15:22.080]  So we want to commoditize complex computing at some points, right, to make this a reality
[15:22.080 --> 15:24.440]  by default.
[15:24.440 --> 15:30.400]  And so with that, I would like to thank you for hearing me.
[15:30.400 --> 15:35.720]  You can get in touch with us at the complex computing consortium using this email.
[15:35.720 --> 15:41.600]  And I invite you to join our tech meetings, it happens every other week.
[15:41.600 --> 15:49.640]  And also our outreach meetings, if you want to really learn or share your ideas, your
[15:49.640 --> 15:56.800]  technical ideas, I recommend joining the tech committee and outreach if you want to expand
[15:56.800 --> 15:59.360]  this idea and promote it.
[15:59.360 --> 16:04.320]  So thank you very much, and that's it.
[16:04.320 --> 16:13.320]  Do we have some time for questions?
[16:13.320 --> 16:19.920]  Yes, the first block is a little bit cramped, so there's a little bit less time for questions
[16:19.920 --> 16:20.920]  in the first block.
[16:20.920 --> 16:24.920]  But can you feel to ask some, and I think you're also around for the rest of the day
[16:24.920 --> 16:26.920]  to answer any questions?
[16:26.920 --> 16:34.760]  So with TLS, I have the feeling that the infrastructure was already there, and it was just a problem
[16:34.760 --> 16:40.280]  of it was too complicated, and with confidence in computer computing as a developer, I don't
[16:40.280 --> 16:42.560]  really even know where to start.
[16:42.560 --> 16:50.160]  The infrastructure is coming, the CSPs, they're really adopting computer computing.
[16:50.160 --> 16:55.840]  We had heard some announcements, especially last year, of making this technology generally
[16:55.840 --> 17:03.200]  available, but really the prices need to drop, it must make it really easy for people to
[17:03.200 --> 17:04.200]  adapt this.
[17:04.200 --> 17:07.760]  I currently can't use it on my laptop, for example.
[17:07.760 --> 17:19.320]  But confidence computing is mostly targeted for the server side, or the Edge, or IoT.
[17:19.320 --> 17:28.520]  There are some, the Intel SGX for the PC or for the laptop, in fact, they were kind of
[17:28.520 --> 17:31.360]  degraded.
[17:31.360 --> 17:36.920]  Intel is not supporting this anymore, but yeah.
[17:36.920 --> 17:43.920]  So once I get West, Andrew, the next speaker could maybe already set up while we have the
[17:43.920 --> 17:44.920]  next question.
[17:44.920 --> 17:45.920]  Maybe go ahead.
[17:45.920 --> 17:46.920]  Go ahead.
[17:46.920 --> 17:47.920]  Thank you for a very nice talk.
[17:47.920 --> 17:48.920]  You were talking about the definition of confidential computing, the confidential computing concerns
[17:48.920 --> 17:59.920]  you had decided on, and you mentioned that it was one year to add a test to this definition.
[17:59.920 --> 18:05.920]  So why was that, why wasn't it there in the first place?
[18:05.920 --> 18:12.800]  Yeah, so attestation was not part of the first definition.
[18:12.800 --> 18:18.080]  The reason why is because attestation is really complex, and maybe it wasn't given as much
[18:18.080 --> 18:26.240]  importance as before, but once attestation became a really big discussion after, and
[18:26.240 --> 18:31.760]  in fact they created a special interest group around attestation, and that's when they decided
[18:31.760 --> 18:38.760]  to add a test to this definition.
[18:38.760 --> 19:05.760]  Okay.