Conclusion

The deployment of proprietary models securely and colocated with the enterprise data is enabled by NVIDIA Confidential Computing. This Confidential Container Reference Architecture (RA) describes a reference implementation for the deployment of proprietary and frontier models on Kubernetes infrastructures using software from NVIDIA and ecosystem partners.

With this Reference Architecture:

The model is secure. The model provider controls the encrypted model and the keys to decrypt the model, which are released only after successful attestation, protecting the model from the infrastructure, data owner and platform operator.

The data is secure. The enterprise data owner controls approved inputs, outputs, and telemetry collection. The data is unencrypted only during execution and never exposed to anyone but the data owner.

The platform operator controls the Kubernetes environment and deployment SLA. The TEE (confidential pod) is where the workload runs on data readable only inside the confidential execution environment that is isolated, encrypted and attestated.

In addition to unlocking AI use cases for regulated industries that work on sensitive data on-premises, NVIDIA Confidential Computing and this Reference Architecture allows enterprises to control the cost and SLA of inference without compromising on accuracy and performance.

Software and hardware components must be confirmed against the target validation profile for a given deployment.