On Thu, Apr 27, 2023 at 09:18:08AM -0400, James Bottomley wrote: > I think the problem is that the tenor of the document is that the CSP > should be seen as the enemy of the tenant. Whereas all CSP's want to be > seen as the partner of the tenant (admittedly so they can upsell > services). In particular, even if you adopt (b) there are several > reasons why you'd use confidential computing: > > 1. Protection from other tenants who break containment in the cloud. > These tenants could exfiltrate data from Non-CoCo VMs, but likely > would be detected before they had time to launch an attack using > vulnerabilities in the current linux device drivers. > 2. Legal data security. There's a lot of value in a CSP being able > to make the legal statement that it does not have access to a > customer data because of CoCo. > 3. Insider threats (bribe a CSP admin employee). This one might get > as far as trying to launch an attack on a CoCo VM, but having > checks at the CSP to detect and defeat this would work instead of > every insider threat having to be defeated inside the VM. And generally, all these are instances of adopting a zero trust architecture, right? Many CSPs have no need to access VM memory so they would rather not have the ability. -- MST
