Intel launched on Tuesday its newest server chips, code-named Sapphire Rapids, which will form the backbone of server infrastructure in the public and private cloud.
The chips have built-in security features the company says will prevent attackers from stealing high-value data from computer systems, ensure regulatory compliance, and maintain data sovereignty. These 4th Gen Intel Xeon scalable processors will increase the baseline enclave, and Intel SGX will be able to accurately and securely verify application software loaded in that enclave, the chip giant said in a statement. These server chips fit in with Intel’s confidential computing portfolio.
Confidential computing refers to a security mechanism where a bubble of protection is added around data as it travels over the network between computing systems. That is done through encryption. The Xeon chips add techniques to verify the integrity of code and authentication measures to ensure the data is accessible only to authorized individuals and systems.
The chips create trusted boundaries — which Intel calls trusted execution environments, or TEEs — in which code can be executed. A feature called Trust Domain Execution (TDX) locks down code in a secure enclave that can only be unlocked by those with the right keys or codes. The process of verifying and unlocking the code is called attestation.
The TDX instructions add a boundary around the virtual machine and everything in it, including the guest OS and apps in it, and removes the cloud service provider or other cloud tenants from a trust boundary, said Anil Rao, vice president and general manager for systems architecture & engineering at Intel’s office of the CTO.
TDX leverages a security feature on Xeon chips called Software Guard Extensions (SGX), which is widely used today as a secure enclave to protect data in execution environments. But TDX is much larger in scope and covers a wider range of applications, such as AI in virtualized environments.
Securing Virtual Machines
SGX has been a critical element of Microsoft’s Azure confidential computing offerings so far, and TDX in the newer Sapphire Rapids chips will strengthen the security in virtual machines, said Mark Russinovich, the chief technology officer at Microsoft’s Azure, during the Xeon launch event.
“We look forward to being one of the first cloud providers to offer confidential services based on Intel 4th Gen Xeon scalable processors with Intel TDX later this year, enabling organizations to achieve confidentiality by seamlessly lifting and shifting their workloads without requiring any code changes,” Russinovich said.
Confidential computing could be attractive to organizations concerned about high-value data and applications and services that require strong security.
“It strengthens compliance with data privacy and governance regulations and helps create a more private controlled infrastructure, even when using the public cloud,” said Lisa Spelman, corporate vice president and general manager for Xeon products at Intel, during a press briefing on the new chips.
TDX will also be relevant to customers that want to activate private or regulated data in a way that doesn’t breach confidentiality, Intel’s Rao said.
“Think of a way in which customers use this for multiparty collaborations focused on shared analysis with data privacy,” Rao said.
From Edge to Cloud
Rao provided some examples of sharing sensitive data securely in financial or healthcare organizations, or to share research for fraud detection. He summarized that confidential computing makes it possible to move workloads securely from the private into the public cloud while meeting data residency and compliance requirements.
Intel’s 4th Gen Xeon chips will also be tied to a cloud service called Project Amber, which will help verify trust of computing boundaries from edge to cloud. It will start as an independent attestation service for Intel confidential computing technologies, Rao said. Intel plans to offer Project Amber as a pay-as-you-go feature.
The new Xeon chips will also appear in virtual machine instances in cloud services from Google, IBM, and Alibaba, but the chip maker didn’t comment on whether the cloud providers would specifically offer TDX instructions.
AWS has its own confidential computing offerings, while Microsoft also has virtual machine instances with AMD’s on-chip cloud computing features.
Intel is a dominant player in the server market, with an x86 server market share of 82.5% during the third quarter of last year; its closest rival, AMD, sported a 17.5% market share, according to Mercury Research.
