Nvidia Exec: Secure AI Economies Could Help Everyone Profit – EnterpriseAI

author
5 minutes, 59 seconds Read

An Nvidia executive shared a bold vision of AI economies where individuals and companies can sell their AI assets, such as data, software, or models, without compromising their intellectual property.

There’s a critical underlying technology required: confidential AI, which will help parties build secure vaults to protect their AI assets.

The emerging concept of “confidential AI” involves creating a trusted computing environment in which AI data is securely stored, transferred, and processed without being leaked.

The AI assets of users, including foundation models, can be stored in secure containers that can only be accessed by authorized parties after many authentication techniques.

That’s similar to establishing small storefronts with individuals selling their AI assets, with trustworthy relationships between the buyers and sellers. The third-party can’t see the AI asset and can only see the output.

“If that happens, we just opened up an economy of people with data, AI software, foundation models, infrastructures, and specialization that allows new business models to happen,” said Ian Buck, vice president and general manager of hyperscale and HPC computing at Nvidia, during a panel discussion at the Open Confidential Computing Conference in March.

Panel at the Open Confidential Computing Conference in March (Source: OC3 24 Video)

What Will Be Needed?

“Confidential AI is simply confidential computing extended to AI scenarios, and it is typically associated with GPUs and accelerators,” said Mark Russinovich, chief technology officer for Microsoft Azure, during the panel

Here’s how confidential computing works: Chip makers Intel and AMD have created protected rooms in hardware where data is securely stored. Data is securely transferred to that vault, where it is authenticated and stored. A third party can access the data in the vault only if it can establish a trust layer following a long list of authentication measures. The end user sees only the output after data is processed inside the vault.

Current AI systems are complex. They require huge amounts of data, expertise, software, and infrastructure, and further adaptations for customers require even more work and could be expensive to deploy.

“If you insert confidential computing into that mix, every part of that process now can be democratized and separated, made available to any other party to offer a service or capability to another. The data can be protected, and the software that is run separately from the infrastructure can be protected,” Buck said.

Foundation models can be protected or specialized with techniques like LoRA (Low-Rank Adaptation – a highly efficient method of LLM fine tuning), in separate confidential computing enclaves.

“If that happens…[it opens up] access to all sorts of different kinds of AI, but that’s only possible if all these parties can trust each other and know that their IP, their information, and their life’s work is protected,” Buck said.

Buck’s vision is ambitious and has a laundry list of requirements. But Buck’s point is that AI needs to be secured, and confidential computing is one way to do it.

Companies view AI as an asset that needs protection, and confidential computing environments are important, Russinovich said.

For example, banks typically use data from banking, purchase, and other consumer patterns to train models, and confidential computing provides a way to securely feed those datasets without compromising consumers’ identities.

“A lot of computing is AI. During the panel discussion, ” if you can bring in data sets now together… we have the opportunity to show a multi-party computation with confidence with GPUs,” said Mark Papermaster, chief technology officer at AMD.

Confidential AI Adoption

Cloud computing mostly relies on the Linux OS, and confidential computing could expand with native support in the kernel. Intel and other chip makers will start upstreaming confidential computing tools into Linux distributions in the second half of this year.

Software implementations for secure AI and confidential computing will be in various Linux distributions, said Greg Lavender, Intel’s chief technology officer, during the discussion.

“We’re going to see it in Ubuntu, SuSE, Red Hat,” Lavender said.

Intel is working with VMware to adopt the technology into the hypervisor environments and use it in trusted containers in the Kubernetes environment.

“It’s good if this was proliferating up through the software stack in the software infrastructure that the DevOps people are running on-prem or in the cloud,” Lavender said.

Nvidia also has a confidential computing offering with H100 GPUs. In February, Canonical, which makes the Linux distro Ubuntu, previewed confidential AI on Microsoft Azure with Nvidia’s H100 GPUs.

What Will Confidential AI Look Like?

Confidential AI will ultimately be invisible to users. They will see the search prompt, and confidential AI will take it from there.

Microsoft’s Russinovich talked about a confidential AI in which the user uses only a web interface, with a confidential AI service running in a confidential virtual machine.

Users interact with a model hosted on a Hopper GPU and perform queries with an LLM. The AI model is unaware of the confidential VM keeping the data private, and a secure connection ensures the VM and GPU are trustworthy.

The AI model takes in the uploaded document and then provides answers without compromising sensitive data. Users could specify trusting only a specific version of GPU firmware, but the firmware may have a separate version. “Then they get a warning in the browser that the GPU is not trusted,” Russinovich said

The warnings typically would be invisible unless a user had to manually intervene.

“But again, a lot of these systems are just going to be autonomous systems just part of operating independent of human interface,” Russinovich said.

Government Will Drive Adoption

AI computing will be the killer app for confidential computing, but panelists cited an unlikely source that will drive confidential AI adoption: the government.

Many executive orders have come down from the White House regarding general cybersecurity, zero trust, and their rules impact suppliers, which includes all major tech providers.

Security requirements may force chip and software makers to make space for confidential computing in IT environments.

“I think the industry will be there. I’m not sure the systems integrators that the government relies on to bring the technology into their environments will be there,” Lavender said.

Bringing Everyone on the Same Page

Driving confidential AI adoption also depends on working out standards for handshakes and authentication across hardware and software.

“We are in the early innings here — we need to drive that proliferation outward from center compute complexes, and I think collaboration across the industry and standards are the key,” Papermaster said.

AMD and Nvidia have collaborated to ensure there’s the right CPU to GPU interlock. Intel is also working with companies on its technology called Project Amber, which provides attestation in cloud and hybrid computing environments.

All major chip providers and cloud companies are working on an initiative called Trusted I/O, which Papermaster said relates to “how to build confidential computing out to the networking.”

There is no documentation of the Trusted I/O initiative. It’s not clear if the project is part of the Confidential Computing Consortium, which is a standard-setting organization for confidential computing whose members include Intel, AMD, Microsoft, and Nvidia.

This post was originally published on this site

Similar Posts