MODEL OF ISOLATED PROCESSING OF CONFIDENTIAL DATA IN A CLOUD ENVIRONMENT
DOI:
https://doi.org/10.28925/2663-4023.2026.33.1123Keywords:
cloud computing; Trusted Execution Environment; enclave; confidential computing; IoT; isolated data processing.Abstract
The article focuses on the development of a model for isolated processing of confidential data in cloud environments, with particular emphasis on Internet of Things use cases. The relevance of the study is driven by the growing volume of sensitive data transferred to cloud platforms under conditions of limited trust in cloud service providers. The proposed approach relies on Trusted Execution Environment technologies that provide hardware-based isolation for critical data processing tasks. The developed model introduces a clear separation of cloud infrastructure components, where an enclave container acts as the only trusted entity allowed to access plaintext data. All sensitive operations, including decryption, validation, computation, and result generation, are executed exclusively within the trusted environment. Untrusted cloud services operate only on encrypted or aggregated data, ensuring confidentiality even in the event of operating system or hypervisor compromise. A data flow model is proposed to describe secure routing between IoT devices, the enclave module, and external cloud services, taking into account data types and access levels. The data processing pipeline is formalized as a sequence of transformations performed within the trusted environment, followed by controlled output delivery. Access control policies and result transmission rules are defined in accordance with the principles of zero trust and minimal information disclosure. The practical applicability of the model is demonstrated through a prototype implementation based on Intel SGX technology, targeting the processing of medical data collected from IoT devices. A comparative analysis with traditional cloud processing architectures confirms the advantages of the proposed solution in terms of isolation strength and access control while preserving scalability. The results indicate that the proposed model is suitable for deployment in systems requiring high levels of confidentiality without full reliance on cloud provider trust.
Downloads
References
Rozlomii, I., Naumenko, S., Myhailovskyi, P., & Lishchuk, R. (2025, October). Methodology for selecting the protection strategy in IoT environments based on the device resource profile. In 2025 IEEE 6th KhPI Week on Advanced Technology (KhPIWeek) (pp. 1-5). IEEE.
Rozlomii, I., Yarmilko, A., Naumenko, S., & Mykhailovskyi, P. (2024, May). The role of encryption in information protection for cloud computing. In 2024 IEEE 4th International Conference on Smart Information Systems and Technologies (SIST) (pp. 70-75). IEEE.
Ménétrey, J., Göttel, C., Khurshid, A., Pasin, M., Felber, P., Schiavoni, V., & Raza, S. (2022, June). Attestation mechanisms for trusted execution environments demystified. In IFIP International Conference on Distributed Applications and Interoperable Systems (pp. 95-113). Springer.
Will, N. C., & Maziero, C. A. (2023). Intel software guard extensions applications: A survey. ACM Computing Surveys, 55(14s), 1-38.
Zhao, S., Li, M., Zhang, Y., & Lin, Z. (2022, May). vSGX: Virtualizing SGX enclaves on AMD SEV. In 2022 IEEE Symposium on Security and Privacy (SP) (pp. 321-336). IEEE.
Anasuri, S. (2023). Confidential computing using trusted execution environments. International Journal of AI, Big Data, Computational and Management Studies, 4(2), 97-110.
Xie, H., Zheng, J., He, T., Wei, S., & Hu, C. (2023). TEBDS: A trusted execution environment-and-blockchain-supported IoT data sharing system. Future Generation Computer Systems, 140, 321-330.
Park, J., Kang, S.,Lee, S.,Kim, T.,Park, J.,Kwon, Y.,Huh, J.(2024).Hardware-hardened sandbox enclaves for trusted serverless computing.ACM Transactions on Architecture and Code Optimization, 21 (1), 1-25.
Will, N. C., & Maziero, C. A. (2023, February). Efficient management models for SGX enclaves. In International Conference on Information Systems Security and Privacy (pp. 195-224). Springer.
Eboseremen, B. O., Ogedengbe, A. O., Obuse, E., Oladimeji, O., Ajayi, J. O., Akindemowo, A. O., & Erigha, E. D. (2022). Secure data integration in multi-tenant cloud environments: Architecture for financial services providers. Journal of Frontiers in Multidisciplinary Research, 3(1), 579-592.
Voievodin, Y. V., & Rozlomii, I. O. (2024, April). Advanced software framework for comparing balancing strategies in container orchestration systems. In Proceedings of the conference (pp. 60-69).
Hamidy, G. M., Yulianti, S., Philippaerts, P., & Joosen, W. (2023, November). TC4SE: A high-performance trusted channel mechanism for secure enclave-based trusted execution environments. In International Conference on Information Security (pp. 246-264). Springer.
Pradhan, G., & Priyadarsini, M. (2024). A trusted computing framework for cloud data security using role-based access and pattern recognition. Cluster Computing, 27(5), 6609-6622.
Vuppala, N. S. M., Hebbar, K. S., Gupta, D., Sharma, V., & Roy, V. (2025, December). Advanced security framework for threat mitigation in cloud computing environments. In 2025 IEEE 5th International Conference on ICT in Business Industry & Government (ICTBIG) (pp. 1-6). IEEE.
Modaber, M., Hendriks, M., Geilen, M., Basten, T., Voeten, J.(2024). A method for building trustworthy hybrid performance models for cyber-physical systems of systems. IEEE Access, 12, 92733-92752.
Kang, D. M., Faahym, H., Meftah, S., Keoh, S. L., & Khin, M. M. A. (2023, March). Practical deep neural network protection for unmodified applications in Intel software guard extension environments. In International Conference on Critical Infrastructure Protection (pp. 177-192). Springer.
Tara, A., & Khan, T. U. (2025, April). A comparative study of hardware-based and software-based secure virtualization technologies. In Computer Science On-line Conference (pp. 69-95). Springer.
Islam, M. S., Zamani, M., Kim, C. H., Khan, L., & Hamlen, K. W. (2023, April). Confidential execution of deep learning inference at the untrusted edge with ARM TrustZone. In Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy (pp. 153-164). ACM.
Rozlomii, I., Yarmilko, A., & Naumenko, S. (2023). Analysis of information security issues in balancing multiple independent containers on a single server. In Proceedings of the 3rd International Workshop on Information Technologies: Theoretical and Applied Problems (pp. 450-461).
Ayamga, D., Nanda, P., & Mohanty, M. (2024, December). The Bell-LaPadula (BLP) enterprise security architecture model vs inference attacks. In 2024 17th International Conference on Security of Information and Networks (SIN) (pp. 1-8). IEEE.
Haloua, F., Abbas, M., Djerbi, R., & Bouhamed, M. M. (2024, April). Formal modelling and implementation of Clark–Wilson security policy with FoCaLiZe. In 2024 6th International Conference on Pattern Analysis and Intelligent Systems (PAIS) (pp. 1-5). IEEE.
Yu, J. Z., Shinde, S., Carlson, T. E., & Saxena, P. (2022).Elasticlave:An efficient memory model for enclaves.In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22) (pp. 4111-4128).
Lee, D., Cheang, K., Thomas, A., Lu, C., Gaddamadugu, P., Vahldiek-Oberwagner, A., & Asanović, K. (2022, November). Cerberus: A formal approach to secure and efficient enclave memory sharing. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 1871-1885). ACM.
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Сергій Науменко, Павло Михайловський, Інна Розломій
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
