Microsoft Introduces Azure Confidential Computing, Always Encrypted Data

Posted by Augusto Alvarez on September 21, 2017

It should not be any big surprise for anyone that security improvements, new security features and products are a top priority for most cloud providers. The huge financial impact the latest security breaches are generating within the market are highly noticeable, therefore the distrust from customers around cloud services are rising. Microsoft just announced the concept of Confidential Computing, a concept to allow encryption of data while in use.

Azure Confidential Computing - Always Encrypted Data - Sheme

Assume breach” is the main Microsoft guidance when designing systems and solutions, with that in mind they created the Security Development Lifecycle concept that introduces a strong security design associated with each phase of a product development. The simplest way to describe the confidential computing concept in Azure is that all the data uploaded and processed in Azure is always protected inside the Trusted Execution Environment (TEE).

Mark Russinovich (Microsoft Azure CTO) recently published about confidential computing and its importance around organizations making use of this feature:

With confidential computing, they can move the data to Azure knowing that it is safe not only at rest but also in use from the following threats:

  • Malicious insiders with administrative privilege or direct access to hardware on which it is being processed
  • Hackers and malware that exploit bugs in the operating system, application, or hypervisor
  • Third parties accessing it without their consent”.

Azure Confidential Computing - Security Development Lifecycle workflow - Diagram

Security Development Lifecycle workflow diagram

The technical details about confidential computing rely on the use of different Trusted Execution Environments (TEE) that allows developers to generate code securely. Microsoft initially supports two TEEs: Virtual Secure Mode and Intel SGX. Virtual Secure Mode (VSM) is a software-based TEE that’s implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer or server, as well as local administrators and cloud service administrators from viewing the contents of the VSM enclave or modifying its execution.

Intel SGX Trusted Execution Environment (TEE) offers the hardware-based protection as an additional layer of security.  These capabilities are presented in the servers SGX-capable in their Azure public cloud. Additionally, Microsoft is stating that they are already working with other hardware and software providers to provide more TEE to gain more security layers available for their customers.

Azure Confidential Computing - OS Hardware VM - Sheme

Russinovich also added to the relevance of confidential computing: “We see broad application of Azure confidential computing across many industries including finance, healthcare, AI, and beyond. In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE. Healthcare organizations can collaborate by sharing their private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets without risk of data being leaked to other organizations”.

Organizations can access these new features in the Confidential Computing Early Access program, which allows the use of Azure virtual machines (Windows and Linux available) with VSM and SGX TEE environments, also tools and SDKs.


Related materials:


Views All Time
Views Today
Return to all posts

How to Create a Shared Mailbox in Microsoft Exchange Server 2016
Azure AD instance set up basic walkthrough