Exploring the Application of Confidential Computing in Financial Data Security Storage

By | China UnionPay Zou Fen Yuan Hang Zhou Yongkai Gao Pengfei He Shuo

In the context of data becoming a new production factor, security issues are crucial, and paying attention to data security has become a global trend. As “critical data resources” within the “national critical information infrastructure,” safeguarding financial data security is not only necessary but also urgent.

The national “14th Five-Year Plan” clearly states the need to strengthen the digital economy security system, enhance data security assurance levels, and further requires research to promote the establishment of a data security standard system, regulating the management of data throughout its lifecycle. In 2021, the People’s Bank of China issued the “Financial Data Security Data Lifecycle Security Specification,” which clarifies the security framework for the financial data lifecycle, requiring financial institutions to build a data security governance system that covers the entire lifecycle of data collection, transmission, storage, usage, and destruction. Data storage security is the bottom line guarantee for data security throughout the data lifecycle. The data storage phase faces significant challenges; on one hand, data transitions from dynamic to static, making the targets clearer for attackers and the difficulty of attack lower; on the other hand, data is centralized from being dispersed, and once breached, the harm is extensive and the impact is broader.

Previously, the People’s Bank of China proposed requirements for the encrypted storage of sensitive data, clarifying that important systems must implement important data protection based on commercial encryption algorithms. In 2023, the People’s Bank of China further clarified the technical measures for data storage protection in the “Data Security Management Measures for the Business Scope of the People’s Bank of China (Draft for Comments),” and encouraged research into more “fine-grained encryption methods” for data security storage innovation solutions.

Currently, there is no suitable solution that can balance security and transformation costs. Against this backdrop, this article conducts research on financial data security storage based on confidential computing technology. By leveraging the hardware-based security capabilities of confidential computing, a secure storage solution is developed, placing important data, keys, and encryption/decryption calculations in a secure and trustworthy operating environment of confidential computing. At the same time, further application explorations are conducted to provide unified secure storage foundational service components for application systems, effectively ensuring the security of financial sensitive data in both computing and storage states.

Existing Storage Encryption Solutions

Currently, there are mainly two types of storage encryption solutions in the industry: one is to achieve data encryption at the application layer, and the other is to perform disk encryption when data is written to disk. Both solutions can achieve the effect of encrypted data storage, but there are still some issues in practical applications.
For application layer encryption solutions, the significant workload for transformation has always been the primary issue affecting its usage. Whether it is combined with hardware encryption solutions using encryption machines or directly using software encryption packages, it requires code-level modifications to the application. Secondly, the security assurance of hardware encryption solutions relies on hardware encryption machines, which can significantly increase costs when encrypting large-scale data storage; while in software encryption solutions, the plaintext of keys is exposed in memory, leading to certain inadequacies in key security.
For disk encryption solutions, the main issue is the level of security protection. This solution has a relatively coarse protection granularity, only capable of defending against physical disk removal attacks. Once the internal environment is compromised, malicious personnel can still read data in plaintext from the application or system level, indicating that the protective capability remains significantly inadequate.
To address the above issues, this article innovatively combines confidential computing technology to develop a secure storage solution based on confidential computing, providing a lightweight and highly secure solution for application systems.

Introduction to Confidential Computing Technology

Confidential computing is a computing model that constructs an encrypted, isolated, and verifiable computing environment based on trusted hardware, ensuring the security of data and computation processes within the environment. The main goal of confidential computing is to protect data in use, leveraging a programmable hardware trusted execution environment with general computing capabilities.
Currently, major chip manufacturers have successively launched confidential computing solutions, with mainstream solutions including Intel SGX, AMD SEV, Haiguang CSV, Intel TDX, ARM TrustZone, etc. Some large domestic and foreign manufacturers are also laying out and exploring confidential computing technology and applications.
This article is based on the Haiguang CSV confidential computing technology route, where CSV is a secure virtualization technology that supports the creation of multiple encrypted virtual machines on physical nodes. The technical framework has the following characteristics.
(1) Resource Isolation. The CPU uses ASID (Address Space ID) to distinguish between the host and different CSV virtual machines, with each encrypted virtual machine using independent CPU resources such as Cache and TLB, achieving resource isolation between encrypted virtual machines and the host. Within the SOC, ASID tags are stored with the data to prevent access by other virtual machines or the host.
(2) Memory Encryption. CSV has secure memory encryption capabilities, executed through a dedicated high-performance SM4 encryption/decryption engine in the chip’s controller. The keys used by the encryption engine are managed by a secure processor integrated into the chip. Data is automatically encrypted when written to memory and automatically decrypted when read from memory, with keys corresponding one-to-one with CSV virtual machines through ASID. Unauthorized entities, even the host operating system or Hypervisor, cannot view the data in the confidential virtual machine, effectively protecting the confidentiality of the data.
(3) Measurable Boot. CSV virtual machines perform dynamic measurements of loaded files during startup to ensure that the booted CSV virtual machine meets expectations, preventing unauthorized entities from tampering and ensuring the integrity of CSV virtual machine data.
CSV confidential virtual machines further combine with Kata container technology to run containers in a confidential virtual machine, achieving a confidential container where all data in use is protected during container execution. Especially in cloud computing scenarios, confidential computing can ensure that tenants’ workloads (data, code, etc.) remain opaque to cloud service providers, allowing tenants to retain full control over their workloads, and preventing unauthorized entities (hosts, administrators, cloud service provider software stacks, etc.) from accessing tenant data, effectively preventing internal intrusions by malicious personnel, and helping to establish technical trust for tenants.

Confidential Computing Secure Storage Service Solution

1. Technical Framework
This article innovatively combines confidential computing technology, proxy gateway technology, and other technologies to develop a confidential computing secure storage service solution based on data security requirements, adding a front-end encryption module (deployed in a confidential computing environment) between applications and databases or file systems, intercepting and parsing data, matching encryption policies, and encrypting sensitive data. The technical framework of the confidential computing secure storage service mainly includes two modules: the front-end encryption module and the management platform.
(1) Front-End Encryption Module. Encryption Proxy: The front-end proxy of the encryption/decryption module, responsible for intercepting and parsing protocol data packets, matching the pre-set encryption policies of the application, and forwarding the data that needs to be processed. Encryption/Decryption Module: Responsible for encrypting or decrypting sensitive data transmitted by the encryption proxy based on national encryption algorithms.
(2) Management Platform. Policy Management: Responsible for setting and managing encryption/decryption policies, allowing applications to customize encryption policies based on data encryption needs, enabling field-level fine-grained data encryption. Key Management: Responsible for key generation, storage, distribution, updating, and other functions.
2. Key Features
To meet the encryption storage needs of application systems, compatible with existing application functions and usage methods, and enhance the user experience of application systems, the confidential computing secure storage service not only implements basic encryption and decryption functions but also provides features such as encryption policy settings, key updates, fuzzy queries, and confidential containers.
(1) Encryption Policy Settings. The application system can customize configuration of encryption/decryption policies, specifying libraries, tables, fields, encryption algorithms, etc., that need to be encrypted. This solution provides two configuration methods for encryption policies.
Method one involves manually configuring encryption policies through the management platform interface. The application extracts table structure information and uploads it to the management platform, selecting the corresponding encryption policy information on the policy management page of the management platform.
Method two involves automatically intercepting DDL statements to generate encryption policies. To flexibly extend and manage encryption policies, support is provided for marking encrypted fields by adding specific rule tags in the comments of database DDL statements. The front-end encryption module can automatically intercept, parse DDL statements, dynamically generate or update encryption policies, providing more flexible and immediate responsiveness to changes in business needs.
(2) Key Updates. Supports periodic updates of data keys and provides batch processing tools for key updates. The key status is divided into normal and transitional states, where the normal state encryption policy contains information for one key currently in use, and the transitional state contains information for both new and old keys. During the transitional phase, data is encrypted using the latest key when written, while data updates, deletions, and queries are processed with both new and old keys without affecting normal service operation. Additionally, the transitional phase allows the use of batch processing tools to refresh old ciphertext data, restoring to normal state after completion.
(3) Fuzzy Queries. In this solution, data is encrypted before entering the database, achieving a form of encrypted database effect, but it also supports some preset common fuzzy query operations. The application system can customize the encryption algorithm, clarifying encryption rules through the encryption algorithm, and during encryption, data is split according to the set encryption rules, processed separately for encryption, and finally combined into a single field of ciphertext.
(4) Confidential Containers. Combining CSV confidential virtual machines with Kata container technology to implement a confidential container solution, where the entire container is protected by the confidential computing environment, ensuring that all operational data is protected when applications run in this confidential container. Additionally, the confidential container is compatible with standard container interfaces, allowing seamless integration with current container management engines, maintaining no difference in usage from ordinary containers, and demonstrating strong versatility.
3. Key Technical Points
(1) Confidential Computing Environment Ensures Data and Key Security. By leveraging the security capabilities of hardware chips in confidential computing, a secure and trustworthy computing environment is constructed, placing sensitive data, encryption/decryption algorithm implementations, keys, and the entire encryption/decryption computation process within the confidential computing environment, significantly enhancing the security of sensitive data throughout the encryption/decryption computation and storage processes, minimizing the risk of data leakage.
(2) Proxy Gateway Encryption Architecture Design Enables Seamless Application Integration. By adopting a proxy gateway encryption form, the application business process is decoupled from the encryption/decryption computation, allowing applications to achieve field-level sensitive data encryption without altering existing business logic and usage methods, significantly reducing the difficulty and cost of application transformation.

Application Practice of Confidential Computing Secure Storage Service

1. Pilot Application Effect
Based on the above solution, the capabilities of the confidential computing secure storage service have been constructed, and further pilot applications have been conducted, thoroughly verifying the service’s functionality, performance, usability, and scalability. A comparison of database encryption before and after (see figure) indicates that the confidential computing secure storage service can be compatible with existing application usage methods, requiring no code-level modifications and no focus on the encryption/decryption processes. After configuring the encryption policy, the only requirement is to modify the connection address in the database client configuration file to point to the front-end encryption module, achieving real-time encrypted storage of sensitive data at a fine-grained field level, significantly reducing the development transformation difficulty and cost for applications. At the same time, for application systems, the front-end encryption module is stateless, allowing for dynamic scaling, demonstrating good scalability.
Exploring the Application of Confidential Computing in Financial Data Security Storage
Figure: Comparison of Database Encryption Before and After

2. Performance Analysis

Confidential computing greatly enhances the security of services, but the increase in security inevitably sacrifices some performance. To analyze the overall performance of the confidential computing secure storage service and the impact of the confidential computing environment on service performance, performance tests were conducted in both ordinary and confidential computing environments.

(1) Testing Method. The national encryption SM4 algorithm was used to encrypt a table with 18 fields, setting encryption for 1, 2, 3, and 4 fields respectively; the front-end encryption module was deployed in both ordinary and confidential computing environments; and the sysbench tool was used on the client side to connect to the front-end encryption module for performance testing.

(2) Resource Configuration. Database resource configuration was set to 4C16G, with the front-end encryption module configured to 2C8G, 4C8G, and 6C8G, and the client configured to 2C8G.

(3) Result Analysis. The overall performance of services in ordinary and confidential computing environments is shown in Table 1 and Table 2.

Table 1: Overall Performance of Services in Ordinary Environment
Exploring the Application of Confidential Computing in Financial Data Security Storage
Table 2: Overall Performance of Services in Confidential Computing Environment
Exploring the Application of Confidential Computing in Financial Data Security Storage

From Table 2, it can be seen that with a configuration of 2C8G and encrypting 1 field, the TPS of the confidential computing secure storage service can reach approximately 2330 (QPS is 6990), meeting the needs of most applications. As resource configuration increases, service performance gradually improves, reaching a TPS of 4369 under a 4C8G configuration, demonstrating good scalability.

To analyze the impact of the confidential computing environment on service performance, a comparative analysis of overall service performance in ordinary and confidential computing environments was conducted. It can be seen that while the confidential computing environment enhances security, it also incurs some performance overhead, with performance loss in the confidential computing environment relative to the ordinary environment being within 20%. As resource configuration increases, performance loss gradually decreases, with performance loss in the confidential computing environment being between 15% and 20% with a 2C resource configuration, fluctuating around 15% with a 4C configuration, and reducing to under 3% with a 6C configuration.

Summary and Outlook

In the context of emphasizing data security and regulatory requirements for the encrypted storage of sensitive data, this article combines confidential computing technology to construct a secure storage service, providing a lightweight and highly secure foundational service component for application systems, effectively ensuring the security of financial sensitive data in both computing and storage states. The confidential computing secure storage service achieves the interception, parsing, encryption, and decryption functions of sensitive data in a way that is seamless to applications, reaching the goal of transforming sensitive data into encrypted storage. Meanwhile, the trustworthy computing environment of confidential computing provides security assurance for the data processing process. Verified by pilot applications, the confidential computing secure storage service demonstrates good usability and can adequately meet application needs.
Data in the financial industry involves national security and social security, making the protection of financial data a top priority. At the same time, data has also become a key production factor in economic activities. In the future, based on satisfying data security storage, financial institutions can further combine emerging technologies such as confidential computing and multi-party secure computing to construct a fully encrypted link for data collection, transmission, computation, and storage, effectively unleashing the potential of data while ensuring the security of financial data throughout its lifecycle, thereby aiding the digital upgrade of the financial industry.

(Source: Financial Electrification)

Share Cybersecurity Knowledge to Strengthen Cybersecurity Awareness

Welcome to follow the official Douyin account of “China Information Security” magazine

Exploring the Application of Confidential Computing in Financial Data Security Storage

“China Information Security” magazine strongly recommends

“Enterprise Growth Plan”

Click the image below to learn more

Exploring the Application of Confidential Computing in Financial Data Security Storage

Leave a Comment