Shrinking the Complexity Risks in AI Cloud Deployments

The Problem with Trust in AI Cloud Services

Today, when using an AI product deployed in the cloud, companies must trust many third parties and complex (often closed-source) infrastructure to be implemented correctly and in a way that protects their data. This includes the cloud provider, AI stack services (offering observability, analytics, and agent capabilities), and the inference provider that runs the AI model. All these parties can see the data in plain text and present a large attack surface. This is why the number of data breaches increases by 11% year-over-year. With the amount of personal and proprietary data being given to AI, the importance and impact of each data breach increases exponentially.

The majority of enterprises cite data security and privacy of proprietary data as the number one inhibitor for AI adoption. The current alternatives are limited to legal contracts (such as data privacy agreements or privacy policies), or a regression to on-premise deployments. However, these approaches do not represent viable long-term solutions.

Tinfoil's Approach: Minimizing Trust

Tinfoil's approach greatly reduces the complexity risk of using AI in cloud services by excluding all third parties and most of the existing AI infrastructure from the end-user trust boundaries. We isolate the inference server, hardening it against common threats and providing a private alternative to the classic AI stack. For a more detailed introduction to our approach, check out our introduction to Tinfoil post.

When you use an application deployed with Tinfoil, you can verify that nobody but you can access your data, similar to WhatsApp's end-to-end privacy guarantees. This means anyone deploying AI applications through Tinfoil can be certain their data won't be:

• exposed to third-party security breaches,
• used for AI model training without consent, or
• sold to the highest bidder.

AI Inference is Perfect for Secure Enclaves

AI inference servers are ideal candidates for secure hardware enclaves. Why? Because AI inference has a straightforward control flow and only requires static data access patterns. This means that it can easily be made stateless by disabling cross-user query caching and ensuring complete isolation between different users' requests.

Such statelessness is a perfect match for secure enclaves which are inherently stateless themselves (all memory is encrypted and volatile), and ensures that we can prove our confidential inference endpoints do not expose nor remember anything about your data. Learn more about how Tinfoil builds on secure enclaves in our technical overview post.

Our Technical Safeguards

We build on cutting-edge secure enclaves and hardware-backed isolation (AMD SEV-SNP, NVIDIA Confidential Compute Mode) to enforce end-to-end verifiable privacy. This means data in the secure enclave's memory is always encrypted, keeping it inaccessible, even from an attacker with physical access to the machine. We further enhance security by eliminating all remote access capabilities from our isolated inference servers, effectively removing the possibility of unauthorized data access by Tinfoil and other internal threats.

We architect Tinfoil to reduce the likelihood and impact of side channels through several mitigation strategies:

• All AMD platform secrets are kept in a separate AMD secure co-processor
• AMD attestation reports are additionally signed by Tinfoil, ensuring a powerful external attacker with AMD secrets cannot pretend to be a valid Tinfoil server
• We never share secrets (such as TLS keys) across different enclaves and frequently rotate all key material
• User requests are only transiently present on the server (and can never be accessed by us or the cloud provider due to encryption), minimizing the risk of exposure through side channel attacks (see our blog post on side channels)
• All of the hardware (CPUs, GPUs) that are never shared with anyone else and only used to execute Tinfoil inference code

In summary, these technical safeguards ensure that your data remains private and protected from both external and internal threats throughout the entire inference process.

Transparency Through Open Source

Furthermore, we make our security claims verifiable by open-sourcing all security-sensitive code, using automated builds and transparency logs to prevent supply chain attacks, and enabling instant client-side verification. To learn more about how we build trust through these mechanisms, read our detailed explanation of how Tinfoil builds trust.

At Tinfoil, we've built a transparent architecture allowing you to audit the entire trusted codebase of your cloud deployment. Specifically, our use of secure hardware enclaves do not rely on closed-source hypervisors (as required with AWS Nitro Enclaves) or paravisors (as required with Azure Confidential Computing).

Remote attestation of secure enclaves enables a client to instantly verify a server's configuration and binary integrity. We combine automated builds and transparency logs to provide the added guarantee that the attested binary corresponds to code we have open-sourced, making it possible for enterprises to expedite security audit and compliance.

You can see how this works in our private chat.

The Future of Private AI

Tinfoil significantly reduces the risks of cloud-based AI deployment, enabling scalable adoption of AI applications across enterprises. Our vision is for every business function to use cutting-edge AI tools without privacy concerns or the laborious process of on-premises deployment.

We are building a future where using AI with strong and verifiable privacy guarantees becomes as ubiquitous and essential as TLS/SSL on the web. The architecture of Tinfoil reflects this goal by providing users with a clear trust boundary — shifting away from vague, expansive cloud infrastructure toward an auditable, open-source, human-scale trusted codebase.