100th video up

Just six months ago, I started a YouTube channel, What is cybersecurity?, to provide short videos (most are under 4 minutes and all are currently well under 10 minutes) discussing topics and issues in cybersecurity. I’ve spent 25+ years in the field (well before anyone called it “cybersecurity”) and had been wondering how people get into it these days. In particular, I’m aware that not everyone processes information in the same way, and that for many people, short video content is there preferred way of gaining new knowledge. So I decided that this was what I’d do: create short videos, publish frequently and see how it went.

Today, the 100th video was published: What is data privacy?

To celebrate this, here’s a post describing various aspects of the process.

Methodology

I thought it might be interesting to people to understand how I’ve gone about choosing the topics for videos. When I decided to do this, I created a long list of topics (the initial list was over 150) and realised very early on that I was going to have to start with simple issues and build up to more complicated ones if I wanted to be able to address sophisticated concepts. This meant that I’ve started off with some of the basic building blocks in computing which aren’t specifically security-related, just because I wanted to be able to provide basic starting points for people coming to the field.

I was slightly concerned when I started that I’d run out of ideas for topics: this hasn’t been a problem, and I don’t expect it to be any time in the future. Currently, with 100 videos published, I have over 250 topics that I want to cover (which I haven’t recorded yet). Whenever I come across a topic or concept, I add it to the list. There are few books that I mine for ideas, of which the most notable are:

  • Trust in Computer Systems and the Cloud – Mike Bursell (my book!)
  • Security Enginineering (3rd edition) – Ross Anderson
  • CISSP Exam Guide (9th edition) – Fernando Maymi, Shon Harris

As mentioned above, the videos are all short, and, so far, they’re all single-takes, in that each is a single recording, without editing pieces together. That doesn’t mean that I don’t have to re-record quite frequently – I’d say, on average, that 50% of videos require two or more takes to get right.

Audience

Who do I expect to be my audience? These are the personae that I’ve targeted to start with:

  • undergraduates reading Computer Science or similar, with an interest in cybersecurity
  • masters students looking to move into cybersecurity
  • computing professionals wanting more information on specific cybersecurity topics
  • managers or professionals in non-computing roles looking for a definition or explanation of a particular term
  • (after looking at UK students) A level students in Computer Science

Playlists

YouTube encourages you to create playlists to help people find related topics on your channel. These are the playlists that I currently have (I expect to create more as I get into more complex topics):

Cybersecurity concepts compared takes two or more topics and draws out the differences (and similarities). There are so many complex topics in cybersecurity which are really close to each other and it’s not always easy to differentiate them.

Equipment and software

Here’s the equipment and software I’m using.

Equipment

System: AMD Ryzen 9 3900X 12-Core Processor, 32GB RAM

Camera: Razer Kiyo Pro (though currently I’m trying out a Sony ZV-E10, which provides lovely video, but requires a 175ms audio delay due to USB streaming processing performance)

Microphone: audio-technica AT2035

Pre-amp: Art Tube MP-Studio V3

Software

Operating system: Fedora 39 Workstation

Studio: OBS Studio

Transcription: Buzz

Audio stripping: ffmpeg and some very light bash scripting

Thumbnails: Canva

Most watched? “Encapsulation”

” Thank you, I have a test tomorrow and you helped clear things up!”

As I mentioned in my last article on this blog, I’ve started a YouTube channel called “What is cybersecurity?” aimed at people wanting to get into cybersecurity or looking to understand particular topics for professional reasons (or personal interest). So far, the most popular video is “What is encapsulation?“. I was delighted to get a comment on it from a new subscriber saying “Thank you, I have a test tomorrow and you helped clear things up!”. This is exactly the sort of use to which I’ve been hoping people will put my channel videos.

Since I launched the channel, I’ve been busy recording lots of content, applying some branding (including thumbnails, which make a huge difference to how professional the content looks), scheduling videos and trying to get my head around the analytics available.

I have to say that I’m really enjoying it, and I’m going to try to keep around a month’s content ready to go in case I’m unable to record things for a while. In order to get a decent amount of content up and provide an underlying set of information, I’m aiming for around 3 videos a week for now, though that will probably reduce over time.

For now, I’m concentrating on basic topics around cybersecurity, partly because every time I’m tempted to record something more complex, I realise how many more basic concepts it’s going to rely on. For example, if I want to record something on the CIA triad, then being able to refer to existing content on confidentiality, integrity and availability makes a lot of sense, given that they’re building blocks which it’s helpful to understand before getting your head around what the triad really represents and describes.

As well as single topic videos, I’m creating “What’s the difference…?” videos comparing two or three similar or related topics. There are so many topics that I remember being confused about, or still am, and have to look up to remind myself. I try to define the topics in separate videos first and then use the “What’s the difference…” video as a comparison – then people can refer to the stand-alone topic videos to get the specifics if they need them.

So, it’s early days, but I’m enjoying it. If you are interested in this topic or if you know people who might be, please do share the channel with them: it’s https://youtube.com/@trustauthor. Oh, and subscribe! I also want suggestions for topics: please let me know what questions or issues you think I should be covering.

My Youtube channel: “What is cybersecurity?”

TL;DR: subscribe to my channel What is cybersecurity?

I’ve been a little quiet here recently, and that’s a result of a number of events coinciding, including a fair amount of travel (hello Bilbao, hello Shanghai!), but also a decision I made recently to create a YouTube channel. “Are there not enough YouTube channels already?” you might reasonably ask. Well yes, there are lots of them, but I’ve become increasingly aware that there don’t seem to be any which provide short, easy-to-understand videos covering the basics of cybersecurity. I’m a big proponent of encouraging more people into cybersecurity, and that means that there need to be easily-found materials that beginners and those interested in the field can consume, and where they can ask for more information about topics that they don’t yet understand. And that’s what seems to be missing.

There are so many different concepts to get your head around in cybersecurity, and although I’ve been running this blog for quite a while, many of the articles I write are aimed more at existing practitioners in the field. More important than that, I’m aware that there’s a huge potential audience out there of people who prefer to consume content in video format. And, as any of you who have actually met me in real life, or seen me speak at conferences, I enjoy talking (!) and explaining things to people.

So my hopes are three-fold:

  1. that even if the channel’s current content is a little basic for you now, as I add more videos, you’ll find material that’s useful and interesting to you;
  2. that you’ll ask questions for me to answer – even if I don’t post a response immediately, I’ll try to get to your topic when it’s appropriate;
  3. that you’ll share the channel widely with those you work with: we need to encourage more people to get involved in cybersecurity.

So, please subscribe, watch and share: What is cybersecurity? And I’ll try to keep interesting and useful content coming.

“E2E Encryption and governments” aka “Data loss for beginners”

This is not just an issue for the UK: if our government gets away with it, so will others.

I recently wrote an article (E2E encryption in danger (again) – sign the petition) about the ridiculous plans that the UK government has around wanting to impose backdoors in messaging services, breaking end-to-end encryption. In fact, I seem to have to keep writing articles about how stupid this is:

You shouldn’t just take my word about how bad an idea this is: pretty much everyone with a clue has something to say about it (and not in a good way), including the EFF.

One of the arguments that I’ve used before is that data leaks happen. If you create backdoors, you can expect that the capabilities to access those backdoors and the data that you’ve extracted using those backdoors will get out.

How do we know that this is the case? Because government agencies – including (particularly…?) Law Enforcement Agencies – are always losing sensitive data. And by losing, I don’t just mean having people crack their systems and leaking them, but also just publishing them by accident.

“Surely not!” you’re (possibly) saying. “Of all the people we should be trusting to keep sensitive data safe, the police and other LEAs must be the best/safest/most trustworthy?”

No.

I’d just like to add a little evidence here. The canonical example is a leak exposed in 2016 where data was leaked about 30,000 DHS and FBI employees.

But that was the US, and nothing like that would happen in the UK, right? I offer you four (or five, depending on how you count) counter-examples, all from the past few months.

I’m not saying that our police forces are incompetent or corrupt here. But as everyone in the IT security (“cybersecurity”) business knows, attacks and data loss are not a matter of “if”, they are a matter of “when”. And once it’s out, data stays out.

We must not allow these changes to be pushed through by governments. This is not just an issue for the UK: if our government gets away with it, so will others. Act now.

Patents for software start-ups – an introduction

Having a budget assigned and time set aside for patent creation and filing should be an important part of your company strategy.

To learn more about creating and applying for patents, please visit my consultancy, P2P Consulting, for more detail about how we can help you.

Disclaimer: I’m not a lawyer! Don’t treat any of this article as legal advice: always consult your legal counsel for legal matters.

When I was fund-raising for our start-up (just a couple of years ago at time of writing), one of the questions that frequently came up was “what about IP”? For the techies amongst my readership, this isn’t “Internet Protocol”, but “Intellectual Property”, and, for most start-ups, what the question really meant was “do you have any patents to protect your business idea and the technology behind it?”. When the question wasn’t forthcoming, I would always raise it myself, because, as it happened, we did have a good story around Intellectual Property.

Unlike many other start-ups, it turns out.

There are four types of Intellectual Property, which we can list thus, including their relevance to start-ups (I’m concentrating on software start-ups, as they situation is somewhat different for different approaches):

  • Copyright – protects the implementation and expression of code
  • Trademarks – protect things like your logo and colour scheme
  • Patents – protect the functionality of the code
  • Trade secrets – have to be protected through secrecy, NDAs, etc.

If you decide that you need to do more than just rely on trade secrets (which are all very well for soft drink recipes and things which can’t be reverse engineered, but aren’t great for software), and you’re more interested in the software side of IP than trademarks, that leaves two key types: copyright and patents. People get these confused, and although I’m not a lawyer (see disclaimer above…), the way I understand the difference is this: copyright just protects the bits and bytes of the code in the way that it’s written, whereas a patent protects what it does. A competent engineer can look at your code (or its effects, sometimes) and rewrite it (in another language, using different patterns, using subtly different processes) to get the same effects, so copyright doesn’t really help here. A patent protects you from someone implementing the same effects – or, more accurately, the processes, methods and mechanisms that you use to create these effects – and this is almost always the type of protection you want.

What can you patent?

Now, you can’t just patent anything, and there are actually differences between what you can patent depending on the authority granting the patent (the US patent authorities’ rules differ from those of the European Union, for instance), but a couple of rules of thumb are useful as starting points:

  1. you can’t generally patent mathematical equations or algorithms;
  2. you can’t patent business processes.

What you generally can patent (depending on your jurisdiction, etc.) are processes and mechanisms that would be difficult or impossible for humans to do on their own and which also make or cause changes to external systems (such as causing things to happen in the physical world).

Another important test is that the idea should be both novel and also not immediately obvious to someone skilled in the art. This is often a lower bar than most engineers think, it turns out: once an idea is explained to you, it often feels obvious, but that doesn’t mean it was to start with!

What should I patent?

Subject to the points mentioned above, you can patent pretty much anything you want, but it probably doesn’t make sense to patent everything you come up with: if you’re in the AI business, then patenting an idea around 3D printing for efficient traffic lights probably isn’t sensible (unless your AI is great at CAD/CAM, maybe). The patent process is resource-intensive (typically consuming the time and effort of senior engineers and staff who you’d prefer to be spending their time on getting your product or service out of the door) and fairly expensive. You should work on a strategy to decide what is key to your business now, what is likely to be key in the future, what might help you in possible technical or business pivots and what might protect you from competitors now and in the future. The exact priorities between those will vary from company to company, but understanding these – and having a budget assigned and time set aside for patent creation and filing should be an important part of your company strategy.

When can you patent?

The obvious answer is “as soon as you have the idea” – you absolutely don’t need to have an implementation of it. Beyond that, things vary (again) between jurisdictions. Generally, good advice is to apply for a patent before you disclose anything about the idea to anyone else via an academic paper, GitHub repository, conference session, LinkedIn post or similar (though conversations under NDA should generally be OK). For US patents, you generally have a year after first disclosure, but in other jurisdictions, you don’t, so be careful!

Why should I patent?

The best answer, I think, is “to protect your core business” – aligned, therefore, with the answer to your answers to the questions “what should I patent” above. Some key reasons that people create patents include:

  • Company valuation
  • Defensive / fight back
  • License/sell
  • Market/partner
  • Sue

Offensive use of patents is unlikely for start-ups, but all the others can be very useful, even if licensing or selling them may seem like a way down the road for many early stage companies. The two which are likely to be most interesting for early stage companies are valuation and defensive. Showing that your company has real ideas (which are, what’s more, protected by law) is a great signal of value for almost any type of exit. On the other hand, if there are companies out there who threaten you, alleging that you are impinging on their space and ideas, being able to say “we have a patent in this area, back off”, can seriously reduce the amount of time and money that you spend on lawyers. And that makes everyone happy (apart, maybe, for the lawyers).

There are sometimes reasons that people are reluctant to apply for patents. These include a lack of knowledge of the process (which this article is hopefully addressing), a decision to protect trade secrets instead and moral qualms around the whole question of whether software should be patented at all. Many of those concerned about this last point worry about “patent trolls” and the techniques they use to attack and restrict expression of ideas, particularly in open source. Luckily, there are some very good models and organisations designed to address exactly this point: if you want more information, I strongly advise reading up about the Open Invention Network, the LOT Network and Red Hat Patent Promise.

How should I start?

I plan to write more articles on how to get started with patents, but there are three steps that I’d strongly advise all start-ups to consider as soon as they are able:

  1. consider an IP strategy, and discuss it at the Board level (this will, I promise, send good signals to your investors!).
  2. set time aside every few weeks to discuss possible patent ideas and record the idea, the date it was created, and who was involved in its invention. This is important information that you’ll need when you do start the patenting process.
  3. think hard before sharing any important, business-critical technical information externally, as disclosure may hinder your ability to patent it in the future. You should talk to all your employees about this (not just the techies!).

The other thing you can do, of course, is talk to an expert in patent creation (often called “harvesting”) and filing. Intellectual Property lawyers specialise in the latter part of the process, but the actual creation and preparation of ideas in such a way that lawyers can efficiently help move you through the filing process (sometimes called, somewhat scarily, “prosecution”) is a different set of skills. This part of the process is something I’m very happy to help you through my consultancy P2P Consulting: do get in touch for more details.

Executive Director: executing direction, or directing execution?

What does an Executive Director do?

Towards the end of April this year (2023), I joined the Confidential Computing Consortium as the Executive Director, and I thought it might be interesting to reflect on what that means. I’ve been involved with the CCC since its foundation in October 2019: in fact, I was one of those who helped shape it and move it to foundation from its inception a few months earlier. I have, at various times, acted as the Red Hat (Premier Member) representative on the Governing Board, project representative for Enarx, Treasurer, member as part of Profian, and General Member representative before a brief period of a couple of months as we closed down Profian where I wasn’t involved. I’ve spoken for the CCC at conferences, staffed booths, written blog posts, contributed to white papers, helped commission a market report, recruit members and pretty much everything else that is involved in a Linux Foundation project. It’s been a fairly large part of my professional life for approaching four years.

So I was very happy to be invited to become invited to apply to be Executive Director, a position that had been mooted while I was still involved in the consortium, but which I’d had no expectation of being approached about. But what does an Executive Director do? I don’t see any reason not to share a cut-down version of the role description as per the contract (redacted just for brevity, and not any reasons of confidentiality):

  • Attending events, speaking, providing booth presence, etc.
  • Blogging as appropriate, participating in podcasts, etc. to raise awareness about the CCC and its mission.
  • Engage premier and general members to encourage involvement and solicit feedback, helping the governing board set goals and milestones if appropriate, and generally taking the pulse of the organization from the members’ perspective.
  • Recruit new membership from relevant organizations.
  • Recruit new projects to the CCC.
  • Attend Governing Board meetings and report on work to date and plans for the next period. Report out via simple slides for the governing board presentation.

This is a short but very broad brief and it raises the question: does an Executive Director direct things (are they foremost a manager?) or execute things (are they foremost a task performer?)?

The answer, of course, will vary from organisation to organisation and I know that is true even between the Executive Directors for different Linux Foundation projects, but for me, it’s a (sometimes uneasy) “both”. Member organisations are both blessed and plagued by the fact that, to start with, nothing gets done unless members’ employees do it. They need to arrange meetings, organise conference attendance, manage webinars, write white papers and all the rest. They may get some implementation help for some of these (the Linux Foundation, for example, has a number of functions which can provide help for particular specialist functions like marketing, research or project management), but most of it is run by the members and their employees. And then they get to the stage where they decide that they need some help at a senior level.

What does that person do? Well, here are some words that I think of when I consider my role:

  • support
  • chivy
  • encourage
  • recruit
  • explain
  • advertise
  • represent
  • engage
  • report

You’ll note that some of these are words that are about working with people or members (e.g. support, engage, encourage), whereas others are more about doing things (e.g. advertise, explain, represent). The former feel more like the “directing” part of the role and the latter feel more like the “executing” part of the role. Obviously, they’re not mutually incompatible, and some of the words can lean in both directions, which makes it even more clear to me that it’s hybrid role that I’m fulfilling.

Given my hybrid background (as a techie with business experience), this feels appropriate, and I need to keep ensuring that I balance the time I spend on different activities carefully: I can neither spend all my time on making technical comments on a draft report on GRC (governance, risk management and compliance) nor on considering recruitment options for new members in the Asia Pacific region. But at the same time, it feels sensible that, as someone tasked with having an overview of the organisation, I keep at least some involvement (or knowledge of) all the major moving parts.

It doesn’t change the fact, however, that things only really get done when members get involved, too. This is one of those areas where it’s entirely clear to me that I can only execute tasks to a certain level: this has to be a collaborative role, which frankly suits me and my management style very well. The extent to which I keep an eye on most things, and the balance of work between me, members and other functions of the organisation are likely to change as we continue to grow, but for now, I’m very much enjoying the work I’m doing (and the interactions with the people I’m doing it with) and juggling the balance of executing versus direction.

7 tips on how not to be a good boss

The more of these you adopt style, the more successful you’re going to be (at not being a good boss).

Dedicated to AB: who helped me get it right (the times that I did).

I’ve written “how not to” guides before (e.g. 7 tips on how not to write a book, 7 tips on how not to write a book, 7 tips on how not to write a book), but now that I’m not a boss anymore (after we closed down Profian earlier this year), I feel there’s enough space between when I was a boss and now for me to write my latest. I’m not pretending I was the best boss in the world (though one of my previous employees just sent me a mug saying “World’s Best Boss” – just sayin’), but I tried to model good behaviour and a healthy work environment. I had to work at this: it’s not my default place of comfort. So if I can get how you’re supposed to do it, then hopefully anyone can.

Note: please, please recognise that this is satire. Please.

1. Don’t ask how your employees are

Some people start off meetings with small talk. This is not what you want. They find out what participants have been up to, what they plan to do over the weekend, and other irrelevant “EQ” stuff like that. None of this is related to business and is a distraction from the work that your employees are paid to do. In fact, that you are paid (or pay yourself) to do. It’s a waste of time, and time is money, so it’s a waste of money, particularly when it’s your time and your money. You don’t need to know other people, their views of priorities to work with them or manage them. Give them tasks, get a move on.

2. Expect the same commitment from your employees that you put in

You may be paid more than everyone else (if you’re not, then why not? Fix that!), and the organisation for which you work is what defines you and everything about you, and this may not be true for everybody else you manage, but that’s no excuse for them not giving everything (their workday, their evenings, their weekends, their health – emotional, physical, spiritual, mental) for the company. That goes for the lowest paid to the highest paid employee (you). If they’re not giving it their all at all times, they don’t deserve a job. Get on with it.

3. Family? Friends? Pets? What do I care?

People get ill? Maybe. What’s that to do with me? You’re paid to do a job, and that job doesn’t include your taking time off to look after them. And certainly not pets. Pets aren’t even people. So they can’t be family. Ridiculous. They can make their own way to the doctor/vet. Oh, and by “taking time off”, I include evenings and weekends when you should be doing as I do and committing every last minute of your time to the company (see previous note).

4. Talk, don’t listen

You’ve been a junior person (unless Daddy/Mummy promoted you directly to where you are, in which case, well done), and so you know all of the important things: there’s nothing else that people need to teach you. This means that you can tell them what needs to happen, and if things don’t happen as they should, then that’s their fault for not paying sufficient attention to you and your words of wisdom – or just being too stupid to understand. In either case, disciplinary proceedings are likely to follow. And not for you, absolutely not.

5. Apportion blame, take credit

When things go wrong (which they often do – see above), then it’s not your fault. Make that clear. Spread blame. However, when things happen to go right, we all know who that’s down to, don’t we? You. Your leadership. Your vision. Your management. Even if you don’t actually know much about what went right, you can still take the credit. What a brilliant boss you are.

6. Keep information close to you

Most people don’t need to know things. Provide the very least that they need to do their jobs – or, preferably, even less than that: make them work it out themselves. If they need information, you have leverage. You can get them to work harder, or take on new tasks, or hold off from that raise that you’ve been dangling in front of them for the past 18 months. This is also useful when taking credit for things your team has done: if nobody else knows the details, there’s less chance that they’ll try to question you on it.

7. Expect telepathy

You can’t do everything. This is both a blessing and a curse, in that you have less control, but more free time (or time to do the things you find important, which is nearly the same thing, or should at least seem to be the same thing to your employees). This means that you have to delegate. There are four methods to delegate:

  1. Research – get a subordinate to research options and report back so you can make a decision.
  2. Updates – the subordinate does the work, reporting back to you as required across the duration of the tasks.
  3. Done – the subordinate does the work, and tells you when it’s complete.
  4. Exterminate – you hand the task completely over to the subordinate, to be completed or killed the task at their discretion, no need to inform you.

You’ll note that these form an acrostic: “RUDE”. This is because it would be rude of you to give any clues as to which of these models you expect when you tell someone do to a task. They should be able to work it out themselves telepathically and, again, the less information you give them, the more opportunities there are for it to be their fault when it goes wrong.

I hope this last of tips is useful for anyone wanting not to be a good boss. I can pretty much guarantee that the more of these you adopt in your management style, the more successful you’re going to be (at not being a good boss). Good luck!

Announcing P2P Consulting

A consulting practice reflecting the expertise and experience I’ve built up over the past 25+ years in the industry.

It’s been a few months since we decided to close down Profian, the start-up we created around the Enarx project, and I’ve been working on what my next steps should be. The first, and most obvious, is that I started a couple of months back as Executive Director for the Confidential Computing Consortium, part of the Linux Foundation. I’ve also got far too good at a number of online games – too embarrassing to list here. But the other thing that I’ve been working on is starting a consulting practice, reflecting the expertise and experience I’ve built up over the past 25+ years in the industry.

There are a number of services that I’m offering:

  • software patent strategy and harvesting
  • open source strategy
  • start-up strategy
  • VC and PE due diligence
  • cybersecurity

Some of them speak for themselves: I’ve been in what’s now called “cybersecurity” for over 20 years, and my previous role was as CEO and Co-founder of a start-up. I’ve also been involved in due diligence, which explains the Venture Capital and Private Equity offerings. I plan to write more about all of the offerings in future articles, but the other two – around software patents and open source strategy – probably deserve a little more detail at this point.

Here are the basic descriptions of these services – feedback is definitely welcome:

Intellectual property is a valuable resource for start-ups: for valuation, partnership and competitive advantage. Many start-ups know that they should be managing their Intellectual Property – in particular filing patents – but few have the skills or time to do so efficiently. P2P Consultancy runs in-person patent workshops to generate ideas (“harvesting”) and works with management on the appropriate company strategy, selecting harvested ideas that are best aligned. P2P Consultancy can then work through the process of taking each patent idea through the write-up, discussion and filing stages with patent lawyers, saving valuable staff time and helping the company internalise the skills and gain the experience needed to manage the process in future.

Patent strategy and harvesting

P2P Consulting offers services to companies looking to build a strong strategy for their involvement with open source projects and communities which is consistent with the commercial goals of the organisation.  Mike Bursell, P2P Consulting’s founder, has been involved with open source strategy for over 15 years, in companies ranging from multi-nationals to start-ups, considering issues ranging from community growth and involvement to open source licensing decisions, intellectual property protection and go-to-market.  P2P Consulting provides expertise and links in the open source ecosystem and insights into the opportunities and challenges associated with embracing open source as a strategic differentiator.

Open source strategy

I look forward to growing the consultancy alongside my other activities, and offering these services particularly to start-ups looking to consolidate their patent portfolios and expand their open source involvement. For queries, please visit the P2P Consulting LinkedIn page, the https://p2pconsulting.dev or email me at mike@p2pconsulting.dev.

Zero trust and Confidential Computing

Confidential Computing can provide two properties which are excellent starting points for zero/explicit trust.

I’ve been fairly scathing about “zero trust” before – see, for instance, my articles Thinking beyond “zero-trust” and “Zero-trust”: my love/hate relationship – and my view of how the industry talks about it hasn’t changed much. I still believe, in particular, that:

  1. the original idea, as conceived, has a great deal of merit;
  2. few people really understand what it means;
  3. it’s become an industry bandwagon that is sorely abused by some security companies;
  4. it would be better called “explicit trust”.

The reason for this last is that it’s impossible to have zero trust: any entity or component has to have some level of trust in the other entities/components with which it interacts. More specifically, it has to maintain trust relationships – and what they look like, how they’re established, evaluated, maintained and destroyed is the core point of discussion of my book Trust in Computer Systems and the Cloud. If you’re interested in a more complete and reasoned criticism of zero trust, you’ll find that in Chapter 5: The Importance of Systems.

But, as noted above, I’m actually in favour of the original idea of zero trust, and that’s why I wanted to write this article about how zero trust and Confidential Computing, when combined, can actually provide some real value and improvements over standard distributed architectures (particularly in the Cloud).

An important starting point, however, is to note that I’ll be using this definition of Confidential Computing:

Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment.

Confidential Computing Consortium, https://confidentialcomputing.io/about/

Confidential Computing, as thus described, can provide two properties which are excellent starting points for components wishing to exercise zero/explicit trust, which we’ll examine individually:

  1. isolation from the host machine/system, particularly in terms of confidentiality of data;
  2. cryptographically verifiable identity.

Isolation

One of the main trust relationships that any executing component must establish and maintain is with the system that is providing the execution capabilities – the machine on which it is running (or virtual machine – but that presents similar issues). When you say that your component has “zero trust”, but has to trust the host machine on which it is running to maintain the confidentiality of the code and/or data associated with the component, then you have to accept the fact that you do actually have an enormous trust relationship: with the machine and whomever administers/controls it (and that includes anyone who may have compromised it). This can hardly form the basis for a “zero trust” architecture – but what can be done about it?

Where Confidential Computing helps is by allowing isolation from the machine which is doing the execution. The component still needs to trust the CPU/firmware that’s providing the execution context – something needs to run the code, after all! – but we can shrink that number of trust relationships required significantly, and provide cryptographic assurances to base this relationship on (see Attestation, below).

Knowing that a component is isolated from another component allows that component to have assurances about how it will operate and also allows other components to build a trust relationship with that component with the assurance that it is acting with its own agency, rather than under that of a malicious actor.

Attestation

Attestation is the mechanism by which an entity can receive assurances that a Confidential Computing component has been correctly set up and can provide the expected properties of data confidentiality and integrity and code integrity (and in some cases, confidentiality). These assurances are bound to a particular Confidential Computing component (and the Trusted Execution Environment in which it executes) cryptographically, which allows for another property to be provided as well: a unique identity. If the attesting service bind this identity cryptographically to the Confidential Computing component by means of, for instance, a standard X.509 certificate, then this can provide one of the bases for trust relationships both to and from the component.

Establishing a “zero trust” relationship

These properties allow zero (or “explicit”) trust relationships to be established with components that are operating within a Confidential Computing environment, and to do so in ways which have previously been impossible. Using classical computing approaches, any component is at the mercy of the environment within which it is executing, meaning that any trust relationship that is established to it is equally with the environment – that is, the system that is providing its execution environment. This is far from a zero trust relationship, and is also very unlikely to be explicit!

In a Confidential Computing environment, components can have a small number of trust relationships which are explicitly noted (typically these include the attestation service, the CPU/firmware provider and the provider of the executing code), allowing for a much better-defined trust architecture. It may not be exactly “zero trust”, but it is, at least, heading towards “minimal trust”.

SF in June: Confidential Computing Summit

A good selection of business-led and technical sessions

It should be around 70F/21C in San Francisco around the 29th June, which is a pretty good reason to pop over to attend the Confidential Computing Summit which is happening on that day. One of the signs that a technology is getting some real attention in the industry is when conferences start popping up, and Confidential Computing is now at the stage where it has two: OC3 (mainly virtual, Europe-based) and CCS.

I have to admit to having skin in this game – as Executive Director of the Confidential Computing Consortium, I’ll be presenting a brief keynote – but given the number of excellent speakers who’ll be there, it’s very much worth considering if you have an interest in Confidential Computing (and you should). I’d planned to paste the agenda into this article, but it’s just too large. Here is a list of just some of the sessions and panels, instead.

  • State of the Confidential Computing MarketRaluca Ada Popa, Assoc. Prof CS, UC Berkeley and co-founder Opaque Systems
  • Confidential Computing and Zero TrustVikas Bhatia, Head of Product, Microsoft Azure Confidential Computing
  • Overcoming Barriers to Confidential Computing as a Universal PlatformJohn Manferdelli, Office of the CTO, VMware
  • Confidential Computing as a Cornerstone for Cybersecurity Strategies and ComplianceXochitl Monteon, Chief Privacy Officer and VP Cybersecurity Risk & Governance, Intel
  • Citadel: Side-Channel-Resistant Enclaves on an Open-Source, Speculative, Out-of-Order ProcessorSrini Devadas, Webster Professor of EECS, MIT
  • Collaborative Confidential Computing: FHE vs sMPC vs Confidential Computing. Security Models and Real World Use CasesBruno Grieder, CTO & Co-Founder, Cosmian
  • Application of confidential computing to Anti Money Laundering in CanadaVishal Gossain, Practice Leader, Risk Analytics and Strategy, Ernst and Young

As you can tell, there’s a great selection of business-led and technical sessions, so whether you want to delve into the technology or understand the impact of Confidential Computing on business, please come along: I look forward to seeing you there.