Confidential computing in hybrid cloud: where it fits

Cloud and Cybersecurity

Articles by Ricardo Silva

A practical view of confidential computing in hybrid cloud, focusing on data in use, trust, governance and technical limits.

Confidential computing in hybrid cloud: where it fits

TL;DR

The problem: data protected until execution

Many security architectures handle data well when it is stored or in transit. Encryption for disks, databases, objects and communications is now common in enterprise environments. The challenge appears when an application needs to process that data: at that point, information must be decrypted in memory and becomes dependent on the trust placed in the operating system, hypervisor, infrastructure administrator and cloud provider controls.

What confidential computing adds

Confidential computing aims to reduce that trust surface through isolated execution environments, often backed by hardware capabilities. These environments, commonly known as enclaves or trusted execution environments, help protect code and data while they are being processed. The solution is not purely technical: to be useful in production, it should include attestation, key management, identity integration and secure operations. For organisations working across hybrid environments, this approach can complement a [confidential computing](/en/solutions/confidential-computing) strategy where sensitive data or relevant external dependencies are involved.

Where it can make sense

The technology tends to be more interesting when several entities need to collaborate without fully exposing their data to each other, when workloads involve regulated information, or when the organisation wants to limit the trust required in the infrastructure operator. Common examples include joint data analysis, financial information processing, healthcare data handling, inference over sensitive data and execution of critical components in public cloud. In [hybrid cloud and multicloud](/en/solutions/cloud) scenarios, confidential computing can help create a more consistent protection model across local infrastructure and external services.

Trust is not only isolation

A common mistake is assuming that the enclave solves the whole problem. In practice, it is necessary to validate that the executed environment is the expected one, that keys are released only after appropriate attestation, and that operational records provide sufficient auditability. The chain of trust should cover the application image, configuration, data origin, identity mechanisms and administrative permissions. When the discussion involves data residency or jurisdictional control, the topic should be aligned with broader [sovereign cloud](/en/blog/sovereign-cloud-na-europa-uma-resposta-aos-novos-requisitos-regulatorios) decisions, without confusing sovereignty with a single technology.

Limitations to assess before moving forward

Not every application benefits in the same way. Some workloads may require architectural changes, compatibility validation, performance model review or adaptation of observability processes. It is also important to assess the degree of dependence on provider-specific capabilities, tool maturity, incident management and the team’s ability to operate the model. In many cases, it makes sense to start with a well-scoped component, clearly classified data and defined success criteria.

Conclusion

Confidential computing is a relevant option for organisations that need to protect data during processing, especially in hybrid, collaborative or more scrutinised environments. However, it should be treated as an additional security layer, not as a replacement for architecture, governance and operations. The decision should be based on concrete risk, data sensitivity and the ability to integrate attestation, keys, identity and monitoring into a coherent operational model.