Inferensys

Glossary

Data-in-Use Protection

Data-in-use protection is the practice of securing data while it is actively being processed by the CPU, as opposed to data-at-rest on a disk or data-in-transit across a network, typically achieved through confidential computing.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CONFIDENTIAL COMPUTING

What is Data-in-Use Protection?

Data-in-use protection secures information while it is actively being processed by the CPU, addressing the critical vulnerability window that exists between storage and transmission.

Data-in-use protection is the practice of securing data while it is actively being processed by the central processing unit (CPU), as opposed to data-at-rest on a disk or data-in-transit across a network. This is typically achieved through confidential computing, which uses hardware-enforced Trusted Execution Environments (TEEs) to isolate data and application code within a protected memory region, making it inaccessible to the host operating system, hypervisor, and cloud provider.

The primary mechanism involves creating a hardware-encrypted enclave where decrypted data exists solely within the CPU cache. This prevents exposure to privileged system users, malicious insiders, or compromised infrastructure components. Remote attestation cryptographically verifies the enclave's integrity before secrets are provisioned, establishing a hardware root of trust that ensures data remains encrypted everywhere except for the brief moment of computation inside the secure boundary.

THE THREE STATES OF DATA

Core Properties of Data-in-Use Protection

Data-in-use protection addresses the most vulnerable state in the data lifecycle: the moment when information is decrypted in memory for active computation. These core properties define the security guarantees provided by confidential computing architectures.

01

Hardware-Grade Isolation

The foundational property that creates a hardware-enforced boundary between protected workloads and the host environment. Unlike software-based isolation, this boundary is enforced at the silicon level.

  • Enclave architecture: Code and data reside in a private memory region inaccessible to the OS, hypervisor, or DMA attacks
  • Protection scope: Guards against privileged users, malicious insiders, and compromised infrastructure
  • Implementation: Achieved through technologies like Intel SGX, AMD SEV, and AWS Nitro Enclaves

This isolation ensures that even a fully compromised operating system cannot read the plaintext data being processed.

Hardware Root
Trust Foundation
02

Cryptographic Attestation

A mechanism that enables verifiable trust between the protected environment and remote parties before any secrets are released. Attestation proves the identity and integrity of the execution environment.

  • Measurement: The TEE generates a cryptographic hash of its initial state, including code and configuration
  • Verification: A signed attestation report is validated against the manufacturer's certificate chain
  • Freshness: Nonces prevent replay attacks and ensure the attestation is current

This property transforms an untrusted cloud host into a verifiably trustworthy compute node, enabling secure multi-party computation scenarios.

03

Memory Encryption Engine

Transparent, hardware-level encryption that protects data as it moves between the processor cache and main memory. This defense operates at line speed with negligible performance impact.

  • Encryption boundary: Data is encrypted before leaving the CPU package and decrypted only inside the processor die
  • Key management: Encryption keys are generated by the hardware root of trust and never exposed to software
  • Protection target: Defeats cold boot attacks, DRAM probing, and physical memory interception

Memory encryption closes the gap left by disk and network encryption, ensuring data remains protected during the critical moment of active processing.

04

Sealing and Data Binding

A TEE-specific cryptographic operation that binds encrypted data to a specific enclave identity, ensuring it can only be decrypted by the exact same enclave on the exact same hardware.

  • Identity binding: Sealed data is tied to the enclave's measurement and the platform's unique key hierarchy
  • Policy enforcement: Decryption policies can include version constraints and debug state restrictions
  • Use case: Protects model weights and inference results when stored outside the TEE for later processing

Sealing provides stateful confidentiality, allowing sensitive workloads to persist data securely across restarts without exposing secrets to the host environment.

05

Minimal Trusted Computing Base

The principle of reducing the attack surface to the smallest possible set of components that must be trusted. A smaller TCB means fewer potential vulnerabilities and easier formal verification.

  • Excluded components: The host OS, hypervisor, device drivers, and management tools are removed from the trust boundary
  • Included components: Only the application code, the TEE firmware, and the processor hardware remain trusted
  • Verification: A minimal TCB enables rigorous security audits and mathematical proofs of correctness

This property is the architectural foundation of confidential computing, ensuring that security guarantees do not depend on the integrity of a sprawling software stack.

DATA-IN-USE PROTECTION

Frequently Asked Questions

Clear, technically precise answers to the most common questions about securing data while it is actively being processed by the CPU.

Data-in-use protection is the practice of securing data while it is actively being processed by the CPU, as opposed to data-at-rest on a disk or data-in-transit across a network. It works by performing computation inside a hardware-enforced Trusted Execution Environment (TEE), which isolates the data and the code operating on it from the host operating system, hypervisor, and other privileged processes. This is achieved through hardware features like Intel SGX, AMD SEV, or AWS Nitro Enclaves that create an encrypted region of memory, or enclave, where data is decrypted only for processing and remains invisible to any external entity, including a compromised cloud provider.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.