The confidential computing market is experiencing unprecedented growth, with organizations across healthcare, finance, government, and blockchain industries handling increasingly sensitive data. Confidential computing protects data in use by encrypting data in memory and processing it only after the cloud environment is verified to be a trusted execution environment – addressing the final frontier of data security by protecting information not just when stored or transmitted, but while actively being processed. For organizations requiring maximum security, compliance, and operational control, private cloud infrastructure powered by OpenStack offers a compelling solution that public cloud simply cannot match.
Why Private Cloud for Confidential Workloads?
Public cloud environments, while convenient and scalable, present inherent limitations for confidential workloads. When using shared infrastructure, organizations face potential risks from privileged users, malicious actors within the system, and limited control over data location and access.
Data sovereignty has become a critical compliance requirement, with regulations like GDPR emphasizing that data protection laws apply based on the location of the data subject, not the data processor. Organizations must navigate complex jurisdictional requirements where different countries impose varying restrictions on data transfer and storage.
Private cloud infrastructure addresses these challenges by providing:
- Complete infrastructure control – Physical servers dedicated exclusively to your organization
- Data sovereignty assurance – Keep sensitive data within specified geographic boundaries
- Compliance certainty – Meet strict regulatory requirements for healthcare, finance, and government
- Custom security policies – Implement organization-specific security controls and access policies
OpenStack: The Foundation for Secure Private Cloud
OpenStack is an open-source cloud computing infrastructure platform that provides common services for cloud infrastructure, controlling large pools of compute, storage, and networking resources through APIs or a dashboard. Unlike proprietary solutions, OpenStack provides complete transparency and control over your cloud environment.
For confidential workloads, OpenStack offers several key advantages:
Identity and Access Management with Keystone
OpenStack’s Keystone service manages authentication and authorization across the cloud environment, allowing businesses to implement strict access controls and enforce policies for users, services, and APIs. Keystone supports multi-factor authentication (MFA) and role-based access control (RBAC) for granular permissions.
Network Security and Isolation with Neutron
Neutron, OpenStack’s networking component, creates secure and isolated networks through network segmentation using VLANs or VXLANs, Firewalls-as-a-Service (FWaaS) for perimeter defense, and support for software-defined networking (SDN) integration.
Data Protection and Encryption
OpenStack ensures data security at rest and in transit through services like Cinder (block storage) and Swift (object storage) that support encryption to protect sensitive information. This includes data encryption at rest using volume encryption features and end-to-end encryption for secure data transfers.
Multi-tenancy for Organizational Isolation
For businesses hosting multiple teams or clients, OpenStack’s multi-tenancy feature ensures that each tenant operates in an isolated environment, preventing data leakage or unauthorized access.
OpenMetal: Purpose-Built for Confidential Computing
OpenMetal delivers private cloud infrastructure specifically designed to support confidential workloads through a combination of hardware, software, and network capabilities that ensure maximum security and control.
Hardware-Level Security with Intel TDX and SGX
All OpenMetal V4 generation servers support Intel Trust Domain Extensions (TDX) and Intel Software Guard Extensions (SGX). These technologies provide hardware-enforced trust domains, remote attestation, and measured boot processes. They are designed to run sensitive applications such as healthcare data processing, financial systems, blockchain validators, and AI or machine learning jobs that require isolation and verifiable integrity.
Hardware options range from Medium V4 servers, with 24 CPU cores and 256 GB RAM total, to XXL V4 servers with 128 CPU threads total and up to 2 TB RAM. All servers include dual 10 Gbps NICs and NVMe storage.
Infrastructure-Level Network Isolation
OpenMetal provides private cloud infrastructure built on OpenStack and Ceph with full hardware and network control. Each deployment includes infrastructure-level private networking with dedicated VLANs, dual 10 Gbps private links per server, and unmetered traffic between servers.
Within OpenStack Projects, you can create Virtual Private Clouds (VPCs) that include custom IP ranges, VXLAN overlays, firewall rules, and VPN-as-a-Service. These features allow confidential workloads to operate in logically isolated environments with defined security boundaries.
Rapid, Automated Deployment
Cloud deployment uses OpenMetal automation to create a production-ready OpenStack cluster in about 45 seconds. Additional servers can be added to the cluster in around 20 minutes. OpenStack services available in these clusters include Nova for compute management, Neutron for networking, Cinder for block storage, and Keystone for identity and access management.
Predictable, Fixed-Cost Infrastructure
Pricing is based on fixed monthly costs per server configuration rather than usage-based metering. For egress, traffic above included allowances is billed at $375 per Gbps using 95th percentile measurement. This allows traffic bursts without immediate overage charges while keeping costs predictable.
Enterprise-Grade Network Connectivity
Public networking includes dual 10 Gbps uplinks per server, DDoS protection up to 10 Gbps per IP, and support for customer-owned IP space. This gives you control over routing and addressing for workloads that must meet compliance or sovereignty requirements.
Implementing Confidential Workloads on OpenMetal
Getting started with confidential workloads on OpenMetal involves several key steps:
1. Choose Appropriate Hardware Configuration
Select from Medium V4, Large V4, XL V4, or XXL V4 configurations based on your workload requirements. All configurations feature 5th Gen Intel CPUs with TDX and SGX support. For GPU-accelerated workloads, XXL V4 servers can be configured with H100 GPUs.
2. Design Network Architecture
Configure your network topology using OpenStack Neutron to create isolated networks for different workload types. Implement VLAN segmentation and firewall rules to ensure proper network isolation between confidential and non-confidential workloads.
3. Configure Identity and Access Management
Set up Keystone with appropriate user roles, policies, and multi-factor authentication. Implement role-based access control to ensure users can only access resources appropriate to their responsibilities.
4. Enable Encryption and Key Management
Configure Cinder volumes with encryption enabled and integrate with Barbican for key management. Ensure all data at rest and in transit is properly encrypted using industry-standard algorithms.
5. Deploy Workloads with Hardware Security
Launch virtual machines with Intel TDX enabled to create trusted execution environments. For GPU workloads, configure PCIe passthrough to provide dedicated GPU access while maintaining hardware-level security.
6. Implement Monitoring and Compliance
Deploy monitoring tools to track access patterns, system performance, and compliance status. Configure logging and auditing to meet regulatory requirements for your industry.
Real-World Use Cases
Healthcare and HIPAA Compliance
Healthcare organizations can process protected health information (PHI) while maintaining HIPAA compliance. The combination of hardware-level security, network isolation, and comprehensive access controls ensures PHI remains protected during processing, analysis, and storage.
Financial Services and Data Sovereignty
Financial institutions can run encrypted models for fraud detection or trading algorithms while ensuring data sovereignty requirements are met. Fixed-cost infrastructure makes budgeting predictable for compliance-focused organizations.
AI and Machine Learning Training
Organizations can protect training data and proprietary models using hardware-enforced trust domains. GPUs can be attached to TDX-enabled VMs through PCIe passthrough, providing both acceleration and security for sensitive AI workloads.
Blockchain and Web3 Applications
Web3 and crypto organizations can safeguard wallet data and blockchain metadata from exposure while maintaining the performance needed for blockchain validation and smart contract execution.
The Future of Confidential Computing
The confidential computing landscape continues to evolve rapidly. According to industry research, the global confidential computing market is projected to reach over $1.2 trillion by 2034, with a compound annual growth rate exceeding 60%1. This explosive growth reflects the increasing importance of protecting data in use across all industries.
Regulatory frameworks are also evolving to address data-in-use protection. The NIST Cybersecurity Framework now includes specific guidance for protecting data during processing, while European regulations like DORA mandate data-in-use protection for financial institutions.
For organizations serious about data security and compliance, the question is not whether to adopt confidential computing, but how to implement it effectively. Private cloud infrastructure powered by OpenStack provides the foundation for secure, compliant, and cost-effective confidential computing deployments.
Security Best Practices for OpenStack Private Clouds
When implementing confidential workloads on OpenStack, following established security practices is crucial for maintaining a secure environment. This includes implementing strong authentication mechanisms, comprehensive monitoring, network segmentation, and regular security updates.
System hardening serves as a final layer of defense, with each OpenStack service requiring specific security configurations. Nova Compute benefits from hypervisor isolation and SELinux enforcement, while Keystone Identity requires token-based authentication and multi-factor authentication to combat credential theft.
Getting Started with OpenMetal
OpenMetal provides the infrastructure, expertise, and support needed to implement confidential workloads successfully. With hardware-level security features, comprehensive OpenStack services, and predictable pricing, you can build a private cloud environment that meets your most demanding security and compliance requirements.
Whether you’re processing healthcare data, running financial algorithms, training AI models, or validating blockchain transactions, OpenMetal’s private cloud infrastructure gives you the control and security that confidential workloads demand.
Ready to explore how confidential workloads can transform your organization’s approach to sensitive data processing? Contact our team to discuss your specific requirements and learn how OpenMetal can support your confidential computing initiatives.
[1] Precedence Research. “Confidential Computing Market Size to Attain USD 1281.26 Bn By 2034.“
Read More on the OpenMetal Blog