Azure confidential computing
Last September, I had the privilege to publicly announce our Azure confidential computing efforts, where Microsoft Azure became the first cloud platform to enable new data security capabilities that protect customer data while in use. The Azure team, alongside Microsoft Research, Intel, Windows, and our Developer Tools group, have been working together to bring Trusted Execution Environments (TEEs) such as Intel SGX and Virtualization Based Security (VBS – previously known as Virtual Secure mode) to the cloud. TEEs protect data being processed from access outside the TEE. We’re ready to share more details about our confidential cloud vision and the work we’ve done since the announcement.
Many companies are moving their mission critical workloads and data to the cloud, and the security benefits that public clouds provide is in many cases accelerating that adoption. In their 2017 CloudView study, International Data Corporation (IDC) found that ‘improving security’ was one of the top drivers for companies to move to the cloud. However, security concerns still remain a commonly cited blocker for moving extremely sensitive IP and data scenarios to the cloud. Cloud Security Alliance (CSA) recently published the latest version of its Treacherous 12 Threats to Cloud Computing report. Not surprisingly, data breach ranked among the top cloud threats, and they included three additional data security concerns, specifically breaches caused by system vulnerabilities, malicious insiders, and shared technology vulnerabilities.
Azure Confidential Computing is aimed at protecting data while it’s processed in the cloud. It is the cornerstone of our ‘Confidential Cloud’ vision, which includes the following principles:
- Top data breach threats are mitigated
- Data is fully in the control of the customer regardless of whether in rest, transit, or use and even though the infrastructure is not
- Code running in the cloud is protected and verifiable by the customer
- Data and code are opaque to the cloud platform, or put another way the cloud platform is outside of the trusted computing base
While today this technology may be applied to a subset of data processing scenarios, we expect as it matures that it will become the new norm for all data processing, both in the cloud and on the edge.
Delivering on this vision requires us to innovate across hardware, software, and services that support confidential computing:
- Hardware: Over the past several years, we have worked closely with silicon partners to add features that isolate applications during computation and to make those features accessible in multiple operating systems. Through our close partnership, we are making the latest Intel secure enclave innovations available to customers as soon as they are ready.
We are excited to announce availability of the latest generation of Intel Xeon Processors with Intel SGX technology in our East US Azure region. You will have access to hardware-based features and functionality in the cloud, before it is broadly available on-premise.
- Compute: We are extending our Azure compute platform to deploy and manage compute instances that are enabled with TEEs.
We are introducing a new family of virtual machines (DC-series) that are enabled with the latest generation of Intel Xeon Processors with Intel SGX technology. With this release, you are able to run SGX-enabled applications in the cloud to protect the confidentiality and integrity of your code and data.
- Development: We are working closely with partners to drive an API for Windows and Linux that is consistent across TEEs, both hardware and software-based, so that confidential application code is portable. In addition, we’re working on tooling and debugging support for developing and testing confidential applications.
You are able to build C/C++ applications with the Intel SGX SDK and additional enclave APIs.
- Attestation: Verifying the identity of code running in TEEs is necessary to establish trust with that code to determine whether to release secrets to it. We are partnering with silicon vendors to design and host attestation services that make verification simple and highly available.
- Services/Use cases: Virtual machines provide the building block on top of which to enable new secure business scenarios and use cases. We are actively working across Microsoft to develop services and products that leverage confidential computing, including:
- Protecting data confidentiality and integrity through SQL Server Always Encrypted
- Creating a trusted distributed network among a set of untrusted participants with our Confidential Consortium Blockchain Framework for highly scalable and confidential blockchain networks
- Confidentially combining multiple data sources to support secure multi-party machine learning scenarios
- Research: Microsoft Research has been working closely with the Azure team and silicon partners to identify and prevent TEE vulnerabilities. For example, we are actively researching advanced techniques to harden TEE application to prevent information leaks outside the TEE, both direct or indirect. We will bring this research to market in the form of tooling and runtimes for your use in developing confidential code.
You can sign up today to request preview access to get started with our confidential compute platform, software, tooling, and developer community. Join us in building cloud applications and services that mitigate against the ‘treacherous threats of cloud computing’. We look forward to hearing your feedback and partnering with you to build the future of confidential cloud computing.