Zero Trust Infrastructure with SUSE Linux & Confidential Computing

Traditionally, Zero Trust was related to access control and networking. Today’s security and compliance needs and new regulations make it important to adopt an overall Zero Trust Infrastructure. Learn what Zero Trust Infrastructure is and how SUSE Linux’s unique approach enables its implementation. Leverage Confidential Computing, attestation and a certification-validated Secure Software Supply Chain for ultimate infrastructure security.

Expanding Zero Trust Security Across Infrastructure

As cyber threats evolve, it is not enough to trust infrastructure providers, host OS, or even privileged users to secure sensitive workloads. Zero Trust must extend beyond access controls to infrastructure and workload execution to ensure data protection and regulatory compliance at all levels.

A Zero Trust Infrastructure requires not only that workloads execute in attested, encrypted environments during execution but also that the OS itself is built on a validated, secure software supply chain—ensuring trust at the infrastructure level and eliminating blind trust.

Implementing Zero Trust is essential for securing workload execution, ensuring data protection and mitigating insider threats.

Why Enterprises Need Zero Trust Infrastructure for Workload Execution

Extended Zero Trust, including Confidential Compute, provides workloads, practitioners and enterprises with the following advantages:

• Mitigates insider & cloud risks – Prevents unauthorized access to workloads, even from administrators or cloud providers.
• Guarantees workload integrity – Ensures applications only run in a verified, isolated execution environment.
• Confidential data stays protected – Memory encryption ensures sensitive information is never exposed during processing.
• Simplifies compliance & regulatory alignment – Enforces hardware-based security for finance, government and highly regulated industries.
• Addresses remote attestation gap – Provides verifiable proof that workloads are running in a trusted execution environment, eliminating blind trust in cloud providers.

Zero Trust Infrastructure secures data at rest, in transit, and in use, expanding beyond traditional Zero Trust Network models with SUSE Linux.

Zero Trust Infrastructure with Confidential Computing

Traditional Zero Trust Infrastructure strategies and implementations, focus on identity and network security but fail to protect running workloads and infrastructure itself. Confidential Computing implementation extends Zero Trust Security to infrastructure anywhere by:

• Encrypting memory and CPU operations to prevent unauthorized access—even from infrastructure providers, privileged users or compromised hypervisors.
• Enforcing verified execution so workloads run only in real-time attested, trusted and cryptographically protected infrastructure.
• Eliminating implicit trust in cloud providers, host OS and administrators, ensuring that sensitive data remains protected even if infrastructure is compromised.

Remote Attestation: The Compliance Shield

One of the biggest gaps in cloud security is the lack of verifiable proof that sensitive data was securely processed. Zero Trust Infrastructure requires continuous verification and SUSE solves this challenge with Remote Attestation, ensuring:

• Only verified, Confidential Computing-enabled workloads are executed.
• Audit-ready security evidence is available to demonstrate compliance in the case of an investigation.
• SUSE not only ensures attestation, but also provides vulnerability management and streamlines compliance to strengthen workload security with SUSE Multi-Linux Manager.

By eliminating blind trust in infrastructure providers and administrators, Remote Attestation is essential for implementing a Zero Trust Infrastructure, ensuring that workloads only execute in attested, encrypted infrastructure environments.

With SUSE Linux Confidential Computing, organizations not only prevent security breaches but also have the attestation proof to defend against compliance violations—a critical factor in today’s regulatory landscape.

SUSE Linux’s Unique Proposition

SUSE Linux’s unique proposition leverages both Confidential Computing and a validated, certification-backed secure software supply chain to enforce a Zero Trust security approach at the infrastructure level.

The first pillar—a certification-validated Secure Software Supply Chain

Regulatory frameworks, such as NIS2, DORA, and GDPR require demonstrable security measures, yet most Linux vendors do not provide validated, Common Criteria-certified Secure Software Supply Chains—making compliance audits complex and risky.

Enterprises can reduce compliance risk by leveraging SUSE Linux’s certification-validated Secure Software Supply Chain, effectively delegating liability thanks to its government-grade certifications (Common Criteria EAL4+). This ensures that organizations using SUSE Linux meet the strictest security and regulatory requirements without added audit complexity.

The Second Pillar: Confidential Computing for Secure Workload Isolation

Confidential Computing extends Zero Trust principles by enforcing cryptographic workload isolation and providing attestation for secure execution.

With an OS running on secure infrastructure that provides memory and CPU encryption demonstrable through attestation, SUSE Linux eliminates exposure to:

• Insider threats
• Cloud vulnerabilities
• Compromised infrastructure across cloud, virtual, and on-premises environments

Scaling Zero Trust Infrastructure with a Demonstrable Secure Software Supply Chain

Zero Trust Security relies on continuous verification—but trust must start at the operating system level. A certification-validated and secure software supply chain is essential to ensure Zero Trust principles apply from the OS to workload execution and scale across all environments.

Why the Operating System Supply Chain Matters in Zero Trust Infrastructure

A certification-validated secure software supply chain is the foundation of a trusted Zero Trust infrastructure, ensuring that every component—from the OS to the workloads—remains verified and protected, enabling:

• Unverified Software is a Security Risk – Without a trusted OS built on a verifiable Secure Software Supply Chain, malicious code, backdoors, or vulnerabilities can undermine Zero Trust enforcement.
• Supply Chain Attacks Bypass Traditional Security – Zero Trust requires software from a validated, secured and attested source.
• Security Certifications Ensure Compliance – Highly regulated industries need OS vendors with strict security certifications, such as Common Criteria EAL4+, FIPS 140-2/140-3 and ISO 27001, to meet Zero Trust security standards.

By integrating both a certification-validated Secure Software Supply Chain and Confidential Computing, SUSE Linux provides a true Zero Trust Infrastructure that ensures security, compliance, and resilience at scale—allowing enterprises to delegate liability to a government certification.

OS Innovation and Commitment: The Foundation for Secure Zero Trust Infrastructure Implementation

Due to the rapid pace of Confidential Computing innovation at both the hardware and OS layers, provider commitment is essential for building a secure and resilient Zero Trust Infrastructure over time.

SUSE Linux remains at the forefront by continuously advancing Confidential Computing capabilities, collaborating closely with CPU (developing drivers for AMD SEV and Intel TDX) and cloud providers and strengthening its validated Secure Software Supply Chain.

With the latest innovations in SUSE Linux Enterprise 15 SP7 and the upcoming SUSE Linux Enterprise 16, SUSE is committed to delivering the most secure enterprise Linux—ensuring organizations achieve the strictest security certifications while adopting Zero Trust Infrastructure with confidence.

SUSE Linux: A Trusted OS Foundation for Zero Trust Infrastructure Security at Scale

Only SUSE Linux is built on a certification-validated Secure Software Supply Chain evaluated by Common Criteria EAL4+, ensuring the highest level of trust for enterprises and government organizations requiring strict security standards. Only SUSE Linux provides:

• A fully validated and secure software supply chain, eliminating the risk of unverified software sources.
• Strictest security certifications, ensuring compliance with industry standards.
• Continuous security updates, to mitigate vulnerabilities before they are exploited.

By starting Zero Trust Infrastructure at the OS level, SUSE Linux ensures a trusted execution environment, reinforcing Zero Trust Security across cloud, data centers and edge deployments.

SUSE Linux support for host and guest Confidential Computing, along with Confidential Computing-ready SUSE Linux Enterprise Server images available in hyperscalers and service providers, ensures enterprises can apply Zero Trust Infrastructure security at scale. Together with SUSE Multi-Linux Manager’s remote attestation capabilities, organizations can implement Zero Trust Infrastructure across any site, cloud, data center and edge with a reliable, secure and certified operating system. This enables:

• Workloads run only on verified, Confidential Computing-enabled hardware.
• Memory encryption and secure CPU features, to prevent unauthorized code execution.
• Compliance with regulatory requirements (DORA, GDPR, NIS2), ensuring that sensitive workloads remain isolated and tamper-proof—even against physical access threats.
• Enforces continuous security policies and compliance tracking for Zero Trust workloads across all environments, ensuring provable trust at scale.

Real-World Confidential Computing Example: Zero Trust Infrastructure for Defense & Government Workloads

One of the biggest security challenges for highly regulated industries, such as defense and government, is physical access to infrastructure. Traditional security models assume that physical deployments, like data centers, are trustworthy, but insider threats, compromised administrators and unauthorized access to physical servers and devices create invisible security gaps. These risks are even greater at remote locations and the edge, where infrastructure is often deployed in locations with fewer physical security controls, often maintained by external providers or accessed by external users, increasing the attack surface.

Case Example: Confidential Computing for Zero Trust Infrastructure Physical Security in Defense

Defense organizations require an OS with the highest security certifications, such as Common Criteria EAL4+ and built on a demonstrable Secure Software Supply Chain to ensure complete trustworthiness.

A defense organization required a Zero Trust Infrastructure approach to ensure that no insider, administrator, user, or provider could access mission-critical workloads—even with physical access to infrastructure. By deploying SUSE Linux Confidential Computing with KVM-based isolation and hardware-backed attestation, the organization enforced Zero Trust principles at the workload execution level, ensuring absolute data protection and eliminating infrastructure blind spots.

• Memory encryption ensured that even if an attacker gained physical access to the hardware, they couldn’t extract sensitive data from running virtual workloads, as it remained encrypted in memory.
• Remote Attestation provided continuous proof that workloads were executing in a secure, trusted environment, preventing unauthorized code injection or tampering.
• Hardware-enforced isolation ensured that even cloud providers, infrastructure vendors and data center administrators could not access mission-critical workloads.

By leveraging Confidential Computing, the organization ensured data sovereignty and eliminated trust dependencies on cloud providers, mitigating espionage, insider threats and infrastructure vulnerabilities.

Redefining Zero Trust: Beyond Who Can Access Workloads to Where & How They Execute

With unique SUSE Linux Enterprise Server’s certifications, validated Secure Software Supply Chain and support for host and guest Confidential Computing, organizations can build a truly Zero Trust Infrastructure—ensuring security, compliance and data protection at every layer. By eliminating blind trust in infrastructure and software supply chains, SUSE Linux enables enterprises to confidently deploy Zero Trust Infrastructure security on the infrastructure across cloud, data centers and edge environments.

You can move ahead with a more secure OS. Try SUSE Linux Enterprise Server today.

For more insights on how SUSE enables Confidential Computing, read my previous blog post here.