Trusted Cloud Enclaves and Security Governance for High-Assurance Cloud Computing

Cloud computing infrastructures have become the dominant platform for modern digital systems. Governments, industries and technology companies increasingly rely on cloud environments to host critical workloads, including financial systems, industrial platforms and artificial intelligence infrastructures.

However, the migration of sensitive workloads to the cloud raises a fundamental challenge: how to trust the infrastructure executing these workloads.

Traditional security approaches address only part of this problem. Cryptographic mechanisms protect sensitive data, while Trusted Execution Environments aim to isolate computations. Organizational frameworks and sovereign cloud initiatives improve operational governance of cloud infrastructures.

Despite these advances, the core architectural challenge remains unresolved: establishing strong trust guarantees for workloads executed on complex infrastructures that cannot be entirely verified.

In previous work we introduced the concept of Trusted Security Governance Platforms (TSGP), programmable trust anchors capable of governing security-critical operations across complex digital ecosystems.

This paper introduces ProvenCloud, an architecture applying these principles to cloud infrastructures through the concept of Trusted Cloud Enclaves (TCE).

Trusted Cloud Enclaves establish controlled execution perimeters around compute environments such as virtual machines, container clusters or bare-metal nodes. These enclaves act as trusted governance components mediating interactions between sensitive workloads and the surrounding infrastructure.

By concentrating security-critical functions within minimal and strongly verifiable components, the architecture enables independent governance of infrastructure interactions while drastically reducing the trusted computing base of the execution environment.