Merge pull request #676 from IABTechLab/gwh-APIDOCS-2164-private-oper…

…ator-doc

Gwh apidocs 2164 private operator doc

docs/guides/integration-options-private-operator.md

@@ -0,0 +1,83 @@
+---
+title: Private Operator Integrations
+description: Overview of UID2 Private Operator options.
+hide_table_of_contents: false
+sidebar_position: 02
+---
+
+import Link from '@docusaurus/Link';
+
+# Private Operator Integrations
+
+A Private Operator is a private instance of the UID2 <Link href="../ref-info/glossary-uid#gl-operator">Operator</Link>. This means that a specific entity hosts a private instance of the UID2 Operator, exclusively for their own use.
+
+A Private Operator runs in an <Link href="../ref-info/glossary-uid#gl-enclave">enclave</Link>&#8212;a virtual machine with additional security features to prevent unauthorized access, so that unauthorized individuals cannot download any configuration information or data from the virtual machine.
+
+Enclaves provide hardware-based security features, ensuring that the VM's data and operations are protected from external threats, including the host operating system, hypervisor, and even system administrators.
+
+Running in an enclave provides an extra layer of security to protect the secure data used to produce raw UID2s.
+
+Becoming a Private Operator includes several additional steps, and uses resources that the participant must provide.
+
+On this page, you'll find a high-level overview of integration options and steps, with links to additional information for each option.
+
+## Private Operator Requirements
+
+The participant must host, configure, maintain, and update the Private Operator instance, and must conform to strict security measures. Engineering resources are required to integrate and to make ongoing updates.
+
+The participant must sign a contract (see [Account Setup](../getting-started/gs-account-setup.md)) to host a Private Operator instance.
+
+:::note
+A Private Operator has no visibility into the raw UID2s or UID2 tokens processed by a Public Operator or another Private Operator. Each Private Operator is isolated from all other Operators.
+:::
+
+## Private Operator Workflow
+
+Every Private Operator runs in one of the following:
+
+- [Nitro](https://aws.amazon.com/ec2/nitro/) Enclave (AWS)
+- Confidential space (GCP)
+- Confidential computing environment (Azure)
+
+Each of these ensures that the Private Operator runs in a protected memory space.
+
+The basic workflow is as follows:
+
+1. On startup, the Private Operator goes through an attestation process with the <a href="../ref-info/glossary-uid#gl-core-service">Core</a> service. The attestation process verifies that the Operator is running in a secure trusted execution environment (TEE), and that the environment hasn't been tampered with.
+
+1. When the Operator passes the attestation process, the Core service gives the Private Operator secure S3 URLs for retrieving the information it needs for startup.
+
+1. The Private Operator retrieves the security information from Amazon S3 that it needs to process UID2s, such as salts, encryption keys, and user opt-out records. For security details, see [Private Operator Security](#private-operator-security).
+
+1. If an Operator is restarted, it goes through the attestation process again, and retrieves a fresh set of security information.
+
+1. The Operator re-attests periodically with the Core service to ensure that it is still running in a protected environment. If any compromise is detected, the Operator shuts down.
+
+## Private Operator Security
+
+Each supported Private Operator implementation must meet rigorous security standards. Some security points include:
+
+- The Private Operator runs in a hardware-based trusted execution environment (TEE) hosted by one of the supported cloud providers listed in [Private Operator Integration Options](#private-operator-integration-options).
+- The Private Operator must complete an attestation process before accessing the information needed to process UID2s.
+- The information on S3 is encrypted at rest and also encrypted in transit through TLS. In addition, access is limited to only correctly authorized and attested Private Operators.
+- The information retrieved at startup is not stored locally at any point. It is only ever held in memory, and the Private Operator is running in a protected environment that makes it difficult for anyone running the Operator (such as an Administrator), as well as any external players, to see the data that's in memory.
+
+## Private Operator Integration Options
+
+The following Private Operator integrations are available. 
+
+There is no functional difference between the Private Operator versions.
+
+| Integration Type| Documentation | Content Description |
+| :--- | :--- | :--- |
+| AWS | [UID2 Private Operator for AWS Integration Guide](../guides/operator-guide-aws-marketplace.md) | Instructions for setting up a Private Operator service for AWS Marketplace. |
+| GCP Confidential Space | [UID2 Private Operator for GCP Integration Guide](../guides/operator-private-gcp-confidential-space.md) | Information for setting up the UID2 Operator Service in [Confidential Space](https://cloud.google.com/confidential-computing#confidential-space), a confidential computing option from [Google Cloud](https://cloud.google.com/docs/overview/) Platform. |
+| Azure | [UID2 Private Operator for Azure Integration Guide](../guides/operator-guide-azure-enclave.md) | Instructions for setting up the UID2 Operator Service in a Confidential Container, a confidential computing option from Microsoft Azure. |
+
+## Additional Information
+
+The following additional resources are available for those interested in hosting a Private Operator:
+
+- General information about Private Operators, including a summary of benefits: see [UID2 Overview for Private Operators](../overviews/overview-operators-private.md).
+
+- General information about how Operators work: see [The UID2 Operator](../ref-info/ref-operators-public-private.md).

docs/overviews/overview-operators-private.md

@@ -1,6 +1,6 @@
 ---
 title: Private Operators
-description: Information summary for private Operators.
+description: Information summary for Private Operators.
 hide_table_of_contents: false
 use_banner: true
 banner_title: UID2 Overview for Private Operators
@@ -9,13 +9,13 @@ banner_description: Own the process of generating UID2s from DII in a private en
 
 import Link from '@docusaurus/Link';
 
-Private Operators of UID2 send first-party <Link href="../ref-info/glossary-uid#gl-dii">directly identifying information (DII)</Link> to a secure environment for translation, and control the destinations for those identifiers. A participant that chooses to become a private Operator (previously known as closed Operator) can generate and manage UID2s, running a UID2 Operator service in a private environment.
+Private Operators of UID2 send first-party <Link href="../ref-info/glossary-uid#gl-dii">directly identifying information (DII)</Link> to a secure environment for translation, and control the destinations for those identifiers. A participant that chooses to become a Private Operator can generate and manage UID2s, running a UID2 <Link href="../ref-info/glossary-uid#gl-operator">Operator</Link> service in a private environment.
 
-Learn about what the UID2 framework offers to private Operators, including benefits, hosting options, documentation and other resources, and how to get started.
+Learn about what the UID2 framework offers to Private Operators, including benefits, hosting options, documentation and other resources, and how to get started.
 
 ## Benefits
 
-Here are some of the intended benefits of participating in UID2 as a private Operator:
+Here are some of the intended benefits of participating in UID2 as a Private Operator:
 - You can maintain privacy-conscious workflows for your customer data to be encrypted and activated across chosen partners.
 - You can participate in UID2 using your own first-party <Link href="../ref-info/glossary-uid#gl-dii">directly identifying information (DII)</Link> without sharing it.
 - You have full control of resources, performance, and latency for UID2.
@@ -26,7 +26,7 @@ For more information, see [The UID2 Operator](../ref-info/ref-operators-public-p
 
 ## Hosting Options for Private Operators
 
-If you choose to be a private Operator, several implementation options are available. You can do any of the following:
+If you choose to be a Private Operator, several implementation options are available. You can do any of the following:
 
 - Use a cloud services setup. UID2 supports hosting UID2 in an <Link href="../ref-info/glossary-uid#gl-enclave">enclave</Link> on the following cloud service providers (medium level of effort to implement):
   - Amazon Web Services (AWS)
@@ -38,6 +38,8 @@ If you choose to be a private Operator, several implementation options are avail
 
 1. Request access to UID2 by filling out the form on the [Request Access](/request-access) page.
 2. Decide which implementation option you want to use.
+
+   For details about available options, see [Private Operator Integrations](../guides/integration-options-private-operator.md).
 3. If you're using an SDK, download the SDK. Refer to the applicable SDK guide.
 4. Follow the instructions in the implementation guide for the option you chose.
 
@@ -49,7 +51,11 @@ If you choose to be a private Operator, several implementation options are avail
 
 ## Implementation Resources
 
-The following documentation resources are available for private Operators to implement UID2.
+The following documentation resources are available for Private Operators to implement UID2.
+
+:::tip
+For a detailed summary of options, see [Private Operator Integrations](../guides/integration-options-private-operator.md).
+:::
 
 | Integration Type| Documentation | Content Description |
 | :--- | :--- | :--- |

docs/ref-info/glossary-uid.md

@@ -25,12 +25,16 @@ import Link from '@docusaurus/Link';
 <a href="#gl-bidstream">Bidstream</a> 
 
 **C**
+
 <a href="#gl-client-key">Client key</a> | 
 <a href="#gl-client-keypair">Client keypair</a> | 
 <a href="#gl-client-secret">Client secret</a> | 
 <a href="#gl-client-server">Client-server integration</a> | 
 <a href="#gl-client-side">Client-side integration</a> | 
 <a href="#gl-closed-operator">Closed Operator</a> | 
+<a href="#gl-confidential-computing">Confidential Computing (GCP)</a> | 
+<a href="#gl-confidential-containers">Confidential containers (Azure)</a> | 
+<a href="#gl-confidential-space">Confidential Space (GCP)</a> | 
 <a href="#gl-core-service">Core Service</a> 
 
 **D**
@@ -176,6 +180,23 @@ import Link from '@docusaurus/Link';
 <dt><MdxJumpAnchor id="gl-closed-operator"><a href="#gl-closed-operator">Closed Operator</a></MdxJumpAnchor></dt>
 <dd>Closed Operator is another term for a <a href="#gl-private-operator">Private Operator</a>.</dd>
 
+<dt><MdxJumpAnchor id="gl-confidential-computing"><a href="#gl-confidential-computing">Confidential Computing (GCP)</a></MdxJumpAnchor></dt>
+<dd>A Confidential Computing solution from Google Cloud Platform (GCP), Confidential Space, that is supported for hosting a UID2 <a href="#gl-private-operator">Private Operator</a>.</dd>
+<dd>For details, see <a href="#gl-confidential-space">Confidential Space</a>.</dd>
+<!-- <dd>**new**</dd> -->
+
+<dt><MdxJumpAnchor id="gl-confidential-containers"><a href="#gl-confidential-containers">Confidential containers (Azure)</a></MdxJumpAnchor></dt>
+<dd>Confidential Containers is the name of a secure confidential computing option from Microsoft Azure. Each Confidential Containers implementation runs in a hardware-backed Trusted Execution Environment (TEE) that provides intrinsic capabilities such as data integrity, data confidentiality, and code integrity.</dd>
+<dd>In the context of UID2, Confidential Containers from Azure is one of the supported secure computing environments for hosting a <a href="#gl-private-operator">Private Operator</a>.</dd>
+<dd>For details, see <a href="../guides/operator-guide-azure-enclave">UID2 Private Operator for Azure Integration Guide</a>.</dd>
+<!-- <dd>**new**</dd> -->
+
+<dt><MdxJumpAnchor id="gl-confidential-space"><a href="#gl-confidential-space">Confidential Space (GCP)</a></MdxJumpAnchor></dt>
+<dd>Confidential Space is one of the Confidential Computing options from Google Cloud Platform (GCP). Confidential Space offers a secure enclave environment, known as a Trusted Execution Environment (TEE).</dd>
+<dd>In the context of UID2, GCP Confidential Space is one of the supported secure computing environments for hosting a <a href="#gl-private-operator">Private Operator</a>.</dd>
+<dd>For details, see <a href="../guides/operator-private-gcp-confidential-space">UID2 Private Operator for GCP Integration Guide</a>.</dd>
+<!-- <dd>**new**</dd> -->
+
 <dt><MdxJumpAnchor id="gl-core-service"><a href="#gl-core-service">Core Service</a></MdxJumpAnchor></dt>
 <dd>The UID2 Core Service is a centralized service that manages access to <a href="#gl-salt">salts</a>, encryption keys, and other relevant data in the UID2 ecosystem.</dd>
 <dd>For an overview of all the UID2 services, see <a href="/docs/intro#components">Components</a>.</dd>
@@ -209,7 +230,7 @@ import Link from '@docusaurus/Link';
 
 <dt><MdxJumpAnchor id="gl-enclave"><a href="#gl-enclave">Enclave</a></MdxJumpAnchor></dt>
 <dd>An enclave is a secure subsection of a computing environment. The enclave has additional business logic and security measures applied to it, to prevent anyone from tampering with it.</dd>
-<dd>In the context of UID2, a <a href="#gl-private-operator">Private Operator</a> must run inside an enclave or in a private environment. For a summary of the enclave versions supported, see <a href="../guides/summary-guides#private-operator-service-integrations">Private Operator Service Integrations</a>.</dd>
+<dd>In the context of UID2, a <a href="#gl-private-operator">Private Operator</a> must run inside an enclave. For a summary of the enclave versions supported, see <a href="../overviews/overview-operators-private#implementation-resources">Implementation Resources</a> in *UID2 Overview for Private Operators*.</dd>
 <dd>In an enclave, the operator image must be a very specific, predefined version, and additional constraints are applied to ensure security.</dd>
 
 <dt><MdxJumpAnchor id="gl-encryption-key"><a href="#gl-encryption-key">Encryption key</a></MdxJumpAnchor></dt>
@@ -296,7 +317,7 @@ import Link from '@docusaurus/Link';
 <dd>For details, see <a href="../intro#participants">participants</a> and <a href="../ref-info/ref-operators-public-private">The UID2 Operator</a>.</dd>
 
 <dt><MdxJumpAnchor id="gl-operator-key"><a href="#gl-operator-key">Operator key</a></MdxJumpAnchor></dt>
-<dd>Each UID2 Private Operator has an operator key that allows the private Operator Service to connect to the Core Service and Opt-Out Service and call some endpoints on it.</dd>
+<dd>Each UID2 Private Operator has an operator key that allows the Private Operator Service to connect to the Core Service and Opt-Out Service and call some endpoints on it.</dd>
 <dd>The operator key identifies the participant Operator to the UID2 service.</dd>
 
 <dt><MdxJumpAnchor id="gl-operator-service"><a href="#gl-operator-service">Operator Service</a></MdxJumpAnchor></dt>

docs/ref-info/ref-operators-public-private.md

@@ -28,7 +28,7 @@ The Operator is the operational code of UID2—the code that turns an email
 
 ## Public Operators
 
-A Public Operator, or Open Operator, is a UID2 Operator instance that is available to all relevant UID2 participants. Public Operators run publicly available instances of the Operator Service and make them available to participants.
+A Public Operator is a UID2 Operator instance that is available to all relevant UID2 participants. Public Operators run publicly available instances of the Operator Service and make them available to participants.
 
 In most cases, UID2 participants use a Public Operator.
 
@@ -40,25 +40,19 @@ When you use a Public Operator, there is no additional work for you to do to hos
 
 There is no cost, to the participant, for using a Public Operator.
 
-The participant must sign a contract (see [Account Setup](../getting-started/gs-account-setup.md)) to get the applicable credentials ([API key and client secret](../getting-started/gs-credentials.md#api-key-and-client-secret)) to use the UID2 APIs hosted on the Public Operator.
+The participant must sign a contract (see [Account Setup](../getting-started/gs-account-setup.md)) to get the applicable credentials (see [UID2 Credentials](../getting-started/gs-credentials.md)) to use the UID2 APIs hosted on the Public Operator.
 
 :::note
 With a Public Operator, data leaves the participant's infrastructure and is sent to the Operator. Rigorous security measures are in place to help protect the data within the Public Operator.
 :::
 
 ##  Private Operators
 
-A Private Operator, or Closed Operator, is a private instance of the UID2 Operator. This means that a specific entity hosts a private instance exclusively for their own use.
+A Private Operator is a private instance of the UID2 Operator. This means that a specific entity hosts a private instance exclusively for their own use.
 
 Any participant can also choose to become a Private Operator to generate and manage their UID2s. However, becoming a Private Operator includes several additional steps, and uses resources that the participant must provide.
 
-The participant must host, configure, maintain, and update the Private Operator instance, and must conform to strict security measures. Engineering resources are required to integrate and to make ongoing updates.
-
-The participant must sign a contract (see [Account Setup](../getting-started/gs-account-setup.md)) to host a Private Operator instance.
-
-:::note
-A Private Operator has no visibility into the raw UID2s or UID2 tokens processed by a Public Operator or another Private Operator. Each Private Operator is a completely closed infrastructure.
-:::
+For details, see [Private Operator Integrations](../guides/integration-options-private-operator.md).
 
 ## Private Operator: Benefits