Towards Confidential Computing: A Cloud Architecture for Big Data Analytics and AI in Biomedical Research

Launched at the end of 2018, the DigiMed Bayern project brings together over 100 researchers of different domains, clinicians and attorneys from both academia and industry across 14 institutions in Bavaria, Germany with the goal of building a highly secure, compliant and sustainable digitalized platform to support P4 (Predictive, Preventive, Personalised, Participatory) medicine. This healthcare system will enable accurate predictions for heart diseases, improve the preventive treatments, and advance diagnosis and therapies. There has been over 50 scientific papers published in top journals within the scope of the project. We herein focuses on the pilot cloud system for health research, which is the cornerstone of the project hosted at the Leibniz Supercomputing Centre (LRZ) in Munich. We describe the high-performance cloud architecture powered by confidential computing and remote attestation. We present how it enables the comprehensive data analysis on critical big datasets while remaining secure and legally compliant. The architecture provides workflow encapsulation, and offers end-to-end application and data encryption. The LRZ middleware client is provided to users to encapsulate workflows inside encrypted containers before transmitting to the Cloud. Data in use is safeguard using the AMD-SEV technology; while data at rest is encrypted with symmetric AES-XTS by Quobyte. In the future, the resulting findings and structures of the pilot system can be transferred to applications of other diseases; and help to create an exemplary and transferable integrated digital infrastructure for German healthcare system.