System for the selective orchestration of the processing of confidential data in cloud environments
The system addresses the lack of fine-grained analysis in cloud environments by decomposing transactions into fragments, evaluating their confidentiality, and ensuring only critical fragments are secured, thereby optimizing resource use and preventing unintended information disclosure.
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Utility models
- Current Assignee / Owner
- KUMAR MANISH
- Filing Date
- 2026-04-29
- Publication Date
- 2026-06-25
AI Technical Summary
Existing cloud environments lack fine-grained analysis for identifying confidentiality-critical sub-operations within complex transactions and fail to address inference risks during result merging, leading to unnecessary resource expenditure and unintended disclosure.
A system that decomposes application-layer transactions into execution fragments, evaluates their confidentiality criticality, and selectively assigns them to confidential or non-confidential environments, maintaining attestation states and performing a disclosure check before merging results.
Enables resource-efficient and secure orchestration of confidential data processing by ensuring only critical fragments are processed in secure environments, reducing resource use while preventing direct and indirect information disclosure.
Abstract
Description
Technical field The invention relates to a system for the selective orchestration of confidential data processing in cloud environments. In particular, the invention relates to a computer-implemented system that analyzes application-layer-related transactions, decomposes them into multiple execution fragments, determines a confidentiality criticality for the execution fragments, and selectively assigns the execution fragments to either a confidential or a non-confidential execution environment depending on this determined confidentiality criticality. The invention further relates to the secure merging of the partial results generated in different execution environments while preventing the unauthorized disclosure of confidential information. State of the art In cloud environments, there is an increasing need to protect sensitive data and processes from unauthorized access, especially during active processing. For this purpose, confidential execution environments are known, such as hardware-supported protected runtime environments, in which data and program components can be executed in a way that protects them from being viewed or manipulated. Common systems often move entire applications, virtual machines, containers, or complete workloads to a confidential execution environment. While such solutions offer increased protection, they are associated with significant resource expenditure. In particular, computational load, storage requirements, administrative overhead, and deployment complexity increase when all processing steps are executed in a confidential environment, regardless of their actual sensitivity. Furthermore, prior art includes rule-based mechanisms in which certain data classes or processing operations are marked as requiring protection based on static guidelines and processed accordingly in isolation. However, such systems regularly fail to consider the semantics of a specific application-layer-related transaction. In particular, they lack a fine-grained analysis that identifies which sub-operations of a complex transaction are actually confidentiality-critical and which sub-operations can remain in a non-confidential execution environment without compromising confidentiality. Another problem with existing solutions is that even seemingly non-confidential data or processing results can, when combined with other data, allow inferences to be drawn about confidential information. This inference risk is inadequately addressed by conventional orchestration systems. Similarly, technical safeguards for merging partial results from different execution environments are often lacking, meaning that unintended disclosure effects can occur during recombination. Therefore, there is a need for a system that processes application-layer-related transactions not in a blanket fashion, but selectively and semantically in confidential and non-confidential execution environments, taking into account both confidentiality criticality and inference risks and disclosure effects when combining the results. Object of the invention The invention is based on the objective of providing a system for the selective orchestration of confidential data processing in cloud environments, which can decompose an application layer-related transaction into several execution fragments and determine a confidentiality criticality for each execution fragment in order to assign only those execution fragments to a confidential execution environment that actually require increased protection. A further object of the invention is to provide such a system that evaluates semantic relationships between data elements, processing operations and context information, takes inference risks into account, maintains a connection between attestation states of confidentially executed fragments and upstream or downstream fragments, and checks, before releasing an overall result, whether confidential information is impermissibly disclosed by combining the partial results. Summary of the invention The invention provides a system for the selective orchestration of confidential data processing in cloud environments, comprising an interface for receiving an application layer-related transaction with input data, execution metadata and context data, a decomposition module for decomposing the transaction into multiple execution fragments, an evaluation module for determining a confidentiality criticality for each execution fragment, an orchestration module for assigning the execution fragments to either a confidential execution environment or a non-confidential execution environment, and a merging module for merging the partial results generated in the different execution environments into an overall result. The transaction is preferably decomposed into execution fragments based on application-layer-related semantic relationships between data elements, processing operations, and execution contexts. Confidentiality criticality is preferably determined based on data content, semantic dependency, context information, and disclosure risk. In preferred embodiments, the evaluation module further considers an inference risk, which indicates whether confidential information can be inferred from data that is not confidential in itself by linking it with other data or partial results. The orchestration module assigns only those execution fragments to a confidential execution environment whose confidentiality criticality requires it. Other execution fragments are executed in a non-confidential execution environment. For execution fragments processed in the confidential execution environment, an attestation state is preferably created, maintaining a connection between the attestation state and at least one upstream or downstream execution fragment. Before releasing the overall result, the merging module preferably performs a disclosure check to determine whether merging the partial results would allow for the unauthorized derivation of confidential information. The overall result is only made available if the disclosure check is passed. This enables semantic-based, resource-efficient, and simultaneously security-enhanced orchestration of confidential processing in cloud environments. Detailed description of the invention The present invention relates to a system for the selective orchestration of confidential data processing in cloud environments. The system is designed to treat application-layer-related transactions not as indivisible wholes, but rather to divide them into several execution fragments and assign them to different execution environments depending on their respective confidentiality levels. This ensures that only those sub-operations whose need for protection actually requires it are processed in a confidential execution environment, while less critical sub-operations can remain in a non-confidential execution environment. In a preferred embodiment, the system includes an interface for receiving an application-layer-related transaction. The transaction can, in particular, include input data, execution metadata, and context data. The input data can be, for example, user data, form contents, business documents, communication data, tax data, analytical data, or other application-layer-related data. The execution metadata can include information about called services, processing steps, data sources, application states, user roles, or target systems. The context data can, in particular, include client context, session context, security classifications, geographic assignments, regulatory requirements, or other runtime-related information. The received transaction is fed into a decomposition module. This module is designed to divide the transaction into multiple execution fragments. The decomposition is preferably not purely syntactic, but rather based on application-layer-related semantic relationships between data elements, processing operations, and execution contexts. This means that the decomposition module analyzes which parts of the transaction logically belong together, which sub-operations are interdependent, and which data or operations within the overall transaction have an independent protection requirement. In a preferred embodiment, the decomposition module identifies semantically related subsets of the transaction, such as individual data fields, object relationships, computation sections, validation steps, derivation operations, access operations, or output components. The execution fragments are then formed from these subsets. This ensures that the subsequent assignment to execution environments is based not on a broad overall view, but on a fine-grained semantic analysis. The generated execution fragments are fed into an evaluation module. This module is configured to determine a confidentiality level for each execution fragment. This level of confidentiality is preferably determined based on at least one of the following criteria: data content, semantic dependency, context information, and disclosure risk. Data content can indicate, for example, whether sensitive, personal, business-critical, or security-relevant data is directly affected. Semantic dependency describes whether an execution fragment, due to its relationship to other fragments or data elements, has a heightened need for protection. Context information can cause a fragment that is not inherently critical to be classified as critical in a specific application or client context.Disclosure risk describes the danger that confidential information may be disclosed through the execution or release of a fragment. In a particularly preferred embodiment, the evaluation module further considers an inference risk. The inference risk indicates whether, by linking non-confidential data with other data or partial results, confidential information can be inferred. This is particularly important in complex cloud applications where seemingly harmless intermediate results, reference values, or metadata, in combination with other outputs, can enable a confidential statement. The evaluation module can therefore also classify execution fragments as confidentiality-critical that do not contain directly sensitive content but indirectly allow inferences to be drawn about protected information. Based on their specific confidentiality level, execution fragments are passed to an orchestration module. This module is configured to assign execution fragments with a certain level of confidentiality to a confidential execution environment and other execution fragments to a non-confidential execution environment. The confidential execution environment can be, in particular, a hardware-protected runtime environment, an isolated protected instance, an enclave-based environment, or any other secured execution environment. The non-confidential execution environment can be a conventional cloud runtime environment, a standard container or service environment, or any other processing component that is not specifically protected. Selective allocation avoids the need to process the entire transaction in a confidential execution environment. Instead, only those fragments that actually require it are executed securely. This reduces the use of confidential execution resources and increases overall system efficiency without compromising effective data protection. In a preferred embodiment, the orchestration module is further configured to generate an attestation state for execution fragments processed in the confidential execution environment. The attestation state can, in particular, contain proof that a specific execution fragment has been processed in a designated confidential execution environment under specific protection conditions. Furthermore, the orchestration module preferably maintains a connection between the attestation state and at least one upstream or downstream execution fragment. This can be achieved, for example, through assignment identifiers, cryptographic links, chain structures, state mappings, or other binding mechanisms.This makes it possible to trace which protected and unprotected fragments belong together to a specific overall transaction and under what conditions of trust individual partial results were generated. After the fragments have been executed in their respective environments, the generated partial results are fed into a merge module. This merge module is designed to combine the partial results generated in the different environments into a single, complete result. This merge can be achieved through compilation, reconstruction, linking, embedding, or other syntactic or semantic recomposition. In a particularly preferred embodiment, the merging module performs a disclosure check before releasing the overall result. This disclosure check determines whether the merging of the partial results enables the impermissible derivation of confidential information. Such impermissible derivation may occur, in particular, if only the overall view of several individually unproblematic partial results allows a conclusion to be drawn about protected information, or if the position, sequence, completeness, or relationships of the merged results reveal a confidential statement. The disclosure review may employ semantic test rules, inference models, policy evaluations, dependency analyses, or other control mechanisms. If it is determined that the merging of data would allow for the impermissible derivation of confidential information, the overall result will preferably not be released or will be made available in a modified form. The overall result will only be released if the disclosure review is successful. In a preferred application, the system receives a transaction from a cloud application that includes several processing steps, such as reading input data, executing business rules, deriving key figures, generating intermediate values, and creating output for a target system or user. The decomposition module analyzes the semantic relationships between the processed objects and operations and generates several execution fragments. The evaluation module determines for each fragment whether it should be classified as confidential based on its content, its relationship to other fragments, its context, or an inference risk. The orchestration module then assigns only the critical fragments to a confidential execution environment, while the remaining fragments are processed in a non-confidential execution environment.After execution, the partial results are compiled and subjected to a disclosure review before being published. A key advantage of the invention is that it enables semantics-based selective assignment of protection. A further advantage is that indirect risks are also taken into account through inference. Another advantage is that the relationship between confidentially executed fragments and the remaining fragments is maintained via attestation states. Furthermore, the upstream disclosure review during merging prevents the unintentional disclosure of confidential information through the recombination of partial results. The invention is not limited to the embodiments shown. Rather, the modules can be implemented in a functionally separate or partially combined manner. Likewise, the criteria for determining confidentiality criticality, the type of semantic decomposition, the design of the attestation states, and the methodology of the disclosure review can be adapted to different cloud environments, security requirements, and application architectures. The invention thus creates a technical system with which application layer-related transactions in cloud environments can be orchestrated in a semantically based, selective and security-oriented manner, combining resource-efficient use of confidential execution environments with improved protection against direct and indirect disclosure of confidential information.
Claims
A system for the selective orchestration of confidential data processing in cloud environments, comprising an interface for receiving an application-layer-related transaction with input data, execution metadata, and context data; a decomposition module configured to decompose the transaction into multiple execution fragments; an evaluation module configured to determine a confidentiality criticality for each execution fragment based on at least one of the following: data content, semantic dependency, context information, and disclosure risk; an orchestration module configured to assign execution fragments with a specific confidentiality criticality to a confidential execution environment and other execution fragments to a non-confidential execution environment; and a merger module configured toto combine the partial results generated in the different execution environments into an overall result. System according to claim 1, characterized in that the decomposition module is configured to decompose the transaction into execution fragments based on application layer-related semantic relationships between data elements, processing operations and execution contexts. System according to claim 1 or 2, characterized in that the evaluation module is configured to further determine the confidentiality criticality taking into account an inference risk, which indicates whether confidential information can be inferred from data that is not confidential in itself by linking it with further data or partial results. System according to claim 1, characterized in that the orchestration module is configured to generate an attestation state for execution fragments processed in the confidential execution environment and to maintain a connection between the attestation state and at least one upstream or downstream execution fragment. System according to claim 1, characterized in that the merging module is configured to perform a disclosure check before releasing the overall result, in which it is determined whether the merging of the partial results enables an impermissible derivation of confidential information, and to provide the overall result only if the disclosure check has been passed.