Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

ijlal-loutfi
on 24 July 2023

Why do you also need confidential computing for your private datacenter?



As the adoption of confidential computing gains momentum, a question we often get asked is: why would I need confidential computing in my private data center? However, while it is true that confidential computing has often been associated with addressing security concerns in public cloud environments, its value proposition extends well beyond that.

Confidential computing threat model

To answer this question, we must first understand the underlying threat model of confidential computing. In the public cloud, confidential virtual machines (CVMs) establish a new trust boundary for workloads by encrypting the workload in main memory. This prevents the host operating system, hypervisor, and DMA-capable devices from accessing the sensitive data. Even if these components were compromised, your CVM’s data would still be protected. Without confidential computing, the millions of lines of code comprising the cloud’s system software would have unrestricted access. Moreover, CVMs also protect workloads from the cloud’s operators.

Your private data centre is not confidential

Some argue that private data centres have inherent advantages such as data governance, control, and physical security. And that is all true. Whether your data is encrypted or in plaintext, you always have the authority to decide where it resides, how it is backed up and who can access your server room. 

Image by Fabio from Unsplash

Governance vs security

However, it is important to distinguish between data governance and security. Maintaining control over data is definitely not synonymous with security. You can control where your data lives and still have it be compromised.  

In fact, your on-premises servers are still vulnerable to insiders’ attacks, and they also run the same privileged system software found in the public cloud. Therefore, they are susceptible to the same vulnerabilities and security risks. 

To get a better sense of the scale of this issue, look no further than your organisation’s IT system logs, and how many CVEs you have to routinely patch for your datacenter servers. For example, If you are running a Linux host operating system, then you likely had to patch around 400 CVEs in 2022 alone, half of which had either high or critical severity.  

Without confidential computing, any one of these CVEs, if exploited, could leak your data and compromise its integrity. With confidential computing  in place, you can take all this system software, which will certainly be found to be vulnerable at some point, and put it outside of your confidential workload’s trust boundary. A host OS exploit, for instance, would have absolutely no security impact on your workload. 

This point about the need for confidential computing in the private datacenter is not immediately obvious to many of the customers we talk to. The confusion is also compounded by the public cloud provider’s messaging, which advertises the technology as a way to gain “the same level of security as a private datacenter”, and thus, incentivises more people to move to the public cloud.

Photo by Dave from Unsplash

Ubuntu confidential computing 

To embark on this transformative security journey of making your private data center confidential, you have several options from different silicon providers to choose from. For example, on the X86 architecture, you can consider Intel SGX, Intel TDX, and AMD SEV. If you’re in the ARM ecosystem, TrustZone and the upcoming ARM CCA are available. Keystone is designed for RISC-V architectures, and Nvidia H100 is a great choice for GPUs. 

Whatever your choice of the underlying silicon technology, Ubuntu is a natural choice for you to start this journey, today. Ubuntu has already pioneered supporting technologies like AMD SEV and Intel TDX for confidential virtual machines, and is committed to driving further innovation across all layers of the confidential computing ecosystem. And with Ubuntu confidential VMs being present in all major cloud providers, you can confidently build your hybrid multi-cloud confidential computing  strategy to protect your data wherever it is deployed.

Learn more about Ubuntu security

If you would like to know more about the Canonical approach to security at large, contact us

Additional resources

Related posts


Gabriel Aguiar Noury
21 November 2024

EdgeIQ and Ubuntu Core; bringing security and scalability to device management 

Internet of Things Article

Today, EdgeIQ and Canonical announced the release of the EdgeIQ Coda snap and official support of Ubuntu Core on the EdgeIQ Symphony platform. EdgeIQ Symphony helps you simplify and scale workflows for device fleet operations, data consumption and delivery, and application orchestration. Distributing EdgeIQ Coda as a snap brings the power ...


Ishani Ghoshal
21 November 2024

Ubuntu 20.04 LTS end of life: standard support is coming to an end. Here’s how to prepare. 

Ubuntu Article

In 2025, Ubuntu 20.04 LTS (Focal Fossa) will reach the end of its standard five-year support window. It’s time to start thinking about your options for upgrading. What is an Ubuntu long-term support (LTS) release?  Ubuntu long-term support releases (LTS) are released every 2 years by Canonical. Canonical provides patching and maintenance ...


Felipe Vanni
20 November 2024

Join Canonical in London at Dell Technologies Forum

AI Storage

Canonical is excited to be partnering with Dell Technologies at the upcoming Dell Technologies Forum – London, taking place on 26th November. This prestigious event brings together industry leaders and technology enthusiasts to explore the latest advancements and solutions shaping the digital landscape. Register to Dell Technologies Forum ...