Our Portals

Portals overview

Portals such as VWGRCLite ServiceNet at a glance.

Shop

Purchase or upgrade PLM Cloud and Open Telekom Cloud online.

Client Service Center

To order things, request services get help or report an issue.
Search
A smiling doctor uses a tablet in front of a hospital building.

Secure data-in-use with confidential computing

Open Sovereign Cloud from T-Systems protects workloads with robust data security

  1. Homepage
  2. Insights
  3. Newsroom
  4. Expert Blogs
  5. Secure data-in-use with confidential computing
October 22 2025Sebastian Sutter

Cloud’s hidden vulnerability

Cloud security traditionally focuses on protecting data at rest and in transit. However, a critical gap remains safeguarding data while it's being processed. This article explores how confidential computing addresses this vulnerability, combined with the Open Sovereign Cloud from T-Systems, to deliver enhanced data protection, regulatory compliance, and complete control over your workloads.

Securing the cloud’s blind spot

Cloud adoption has matured to the point where security at rest and in transit is a given. Enterprises encrypt their databases, secure their networks, and rely on hardened infrastructure. Yet a gap remains: the moment data is processed in memory, it becomes vulnerable. For regulated industries such as healthcare, finance, and public administration, that moment is precisely when data is most sensitive.

This is where confidential computing comes in. By securing data “in use”, it closes the last critical gap in cloud protection. Combined with the Open Sovereign Cloud (OSC) by T-Systems, it delivers the highest level of digital sovereignty: data, operations, and technology governed entirely by European standards.

What is confidential computing?

Confidential computing is a hardware-based security technology that protects data while it is actively being processed in memory. Its backbone is the trusted execution environment (TEE), a secure enclave within a processor that encrypts and isolates code and data. This isolation is enforced by the hardware itself, making it significantly more secure than relying solely on software-based protections.

Unlike encryption-at-rest (which protects stored data) or encryption-in-transit (which secures traffic between systems), confidential computing safeguards the very act of computation. Data remains encrypted and inaccessible, even to cloud operators or system administrators with elevated privileges.

Think of confidential computing as creating a secure, isolated room within your processor where sensitive data can be processed without being exposed to other software, the operating system, or even the cloud provider's infrastructure.

Why confidential computing matters in sovereign cloud environments

AdobeStock_1242482328

In today's regulatory landscape, particularly within Europe, organizations face increasing pressure to protect sensitive data throughout its entire lifecycle. 

The OSC was built on a principle: sovereignty in data, operations, and technology. Enterprises in Europe cannot simply outsource their most sensitive workloads to global hyperscalers without considering European Union (EU) regulations such as General Data Protection Regulation (GDPR), Network and Information Security 2 (NIS2), or sector-specific mandates such as German Federal Financial Supervisory Authority (BaFin) or Society for Telematics Applications of the Health Card (Gematik).

The challenge is trust. 

Customers need absolute assurance that their cloud provider, or anyone with infrastructure-level access, cannot peek into sensitive datasets. Confidential computing bridges that trust gap.

By placing data in TEEs, enterprises retain full control. Sovereignty is no longer just about where the data is stored, but also about who can process it and under what conditions. In this model, even the sovereign cloud operator cannot access customer workloads.

Benefits of confidential computing

  1. Provider exclusion
    Guarantees that not even the cloud provider has access to your data during processing, significantly reducing the risk of data breaches and unauthorized access.
  2. End-to-end protection
    With confidential computing, enterprises achieve full-spectrum security: encryption at rest, encryption in transit, and now encryption in use.
  3. Stronger trust foundation
    Highly regulated industries such as finance, healthcare, and government, gain the assurance needed to shift mission-critical services into sovereign clouds.
  4. Innovation without compromise
    Confidential computing enables the use of cloud-based artificial intelligence and machine learning (AI/ML) and allows enterprises to enjoy the scalability of cloud while respecting the strictest compliance and sovereignty requirements.

Clarifying responsibilities: Not a silver bullet

Confidential computing is powerful, but it does not absolve enterprises of their broader security obligations. 
A sovereign cloud strategy must still include:

  • Encryption key management: Ensuring that encryption keys remain in customer control
  • Identity and access management: Defining who can access what and under which circumstances
  • Data lifecycle governance: Applying minimization, retention, and deletion policies
  • Privacy compliance: Aligning with GDPR, Gematik, and other local standards

Confidential computing enhances these measures, but does not replace them. Think of it as an extra layer that secures the most vulnerable point in the data lifecycle.

Practical use cases

  1. Healthcare data processing
    The healthcare sector is under immense regulatory pressure. Confidential computing allows hospitals, insurers, and service providers to process sensitive medical records securely, ensuring operators cannot access data during AI-driven analytics or digital identity verification.
    A prime example is BARMER, one of Germany’s largest health insurers. Together with T-Systems and Verimi, BARMER deployed a digital identity solution where confidential computing, powered by Intel® SGX enclaves, guarantees that even system administrators cannot access patient data. This meets Gematik’s stringent TEE specifications and German Social Code requirements. Policyholders now access records, prescriptions, and emergency data securely via mobile, without usernames or passwords, delivering both compliance and user convenience.
  2. Secure multi-party data sharing
    In finance and research, multiple organizations often need to collaborate on sensitive datasets. Confidential computing enables data clean rooms where raw data remains shielded, allowing only encrypted insights to be shared.
  3. Government workloads
    Public administration requires operator exclusion: ensuring that cloud operators cannot view classified or sensitive citizen data such as citizen records, financial data, classified information. Confidential computing provides this guarantee, supporting sovereignty-by-design strategies.
  4. Identity services
    Digital identity providers increasingly rely on sovereign cloud infrastructure with confidential computing to safeguard authentication workflows. The BARMER project shows how identity verification can scale securely across millions of users under the highest standards.

Looking ahead

Confidential computing is not a standalone feature, it is becoming a part of the broader sovereign cloud strategy. Standards and certifications from organizations such as the Confidential Computing Consortium, BSI, and ISO will help enterprises trust, audit, and port workloads across environments.

In the future, confidential computing will converge with AI/ML workloads, data spaces, and cross-border federated services, providing verifiable assurance that sovereignty and innovation can coexist.

Conclusion

Confidential computing closes the last critical gap in cloud protection, securing data in use. Within the OSC, it ensures provider exclusion, regulatory compliance, and digital independence for Europe’s most sensitive workloads. But it is not a silver bullet. Applications must still manage identities, keys, and data lifecycles responsibly. End-to-end security comes only from combining sovereign cloud infrastructure, confidential computing, and robust enterprise security practices.

At T-Systems, sovereignty is in our DNA. With managed services, geo-redundant German data centers, and confidential computing capabilities, we help customers in healthcare, finance, and the public sector innovate securely. As BARMER’s case demonstrates, the OSC is not a theoretical concept, it is already protecting millions of citizens today.

The message is clear: confidential computing transforms sovereignty from a legal promise into a technical guarantee. It gives enterprises control over their data, wherever and however it is processed.

About the author
Sebastian Sutter, Senior Product Manager

Sebastian Sutter

Senior Product Manager, T-Systems International GmbH

Show profile and articles

You might also be interested in

Concept of archiving in cloud computing

Open Sovereign Cloud

Get a secure, compliant, open-source cloud solution with digital sovereignty and confidentiality.
A person in a pink outfit stands on a cloud

Sovereign cloud solutions for digital growth

Empower transformation with scalable, compliant cloud and full control over data and operations.
Flag of the European Union

What is a sovereign cloud and why is it important?

Explore cloud for Europe, which is secure, compliant, and sovereign to meet all regulatory needs.
Face of a woman with digital overlay and smartphone with health card

ID and health insurance card in the app

BARMER entrusts T-Systems and Verimi with the implementation of digital identities with high-security standards.

Share your thoughts with us!

Got any ideas, suggestions, or questions on this topic? We’d love to hear from you!
Salutation

* Field required

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.