A blog about Blockchain technology

Azure Confidential Computing

Security is a key driver in accelerating the adoption of cloud computing, but it’s also a major concern when you’re moving extremely sensitive IP (Intellectual Property) and data to a public cloud. There are consolidated ways to secure data at rest and in transit, but threats may occur also when data is being processed in memory. Confidential computing adds new data security capabilities to your applications by using trusted execution environments (TEEs) and encryption mechanisms to protect your data while in use. TEEs, also known as enclaves, are hardware or software implementations that safeguard data being processed from access outside the enclave. An enclave provides a protected container by securing a portion of the processor and memory. Only authorized code is permitted to run and access data, so code and data are protected against viewing and modification from outside of the TEE.
It’s a matter of trust
With the recent announcement of public availability of Confidential Computing in Azure, Microsoft became the first cloud provider to offer protection of data in use. As well described in the official post on the Azure blog, “[..] Azure confidential computing protects your data while it’s in use. It is the final piece to enable data protection through its lifecycle whether at rest, in transit, or in use. It is the cornerstone of our ‘Confidential Cloud’ vision, which aims to make data and code opaque to the cloud provider.”
The concept of “opaque data and code” is revolutionary. For the first time, we can trust the cloud for no-one, including the cloud provider, can read your data. It’s encrypted at any stage, and only authorized applications have the key to decrypt it and access it. This is obtained in two ways:
  • Hardware: Thanks to a partnership with Intel, Azure can offer hardware-protected virtual machines that run on Intel SGX technology. Intel Software Guard Extensions (SGX) is a set of extensions to the Intel CPU architecture that aims to provide integrity and confidentiality guarantees to sensitive computation performed on a computer, where all the privileged software (kernel, hypervisor, etc.) might potentially be compromised.
  • Hypervisor: Virtualization Based Security (VBS) is a software-based TEE that’s implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer or server, as well as local administrators and cloud service administrators from viewing the contents of the enclave or modifying its execution.


The potential applications for confidential computing are really unlimited. Every time there is a requirement for protecting sensitive data, trusted execution environments represent the building blocks on top of which it’s possible to enable new secure business scenarios and use cases. Many industries and technologies can benefit of Azure Confidential Computing. In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE. Healthcare organizations can collaborate by sharing their private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets without risk of data being leaked to other organizations. Combining multiple data sources to support secure multi-party machine learning scenarios allow for organizations to share their datasets confidentially. Machine learning services can obtain a higher accuracy of prediction by working on a larger trained model, but organizations can still preserve their own customers information (data is shared in encrypted format, visible only to the machine learning service). In oil and gas, and IoT scenarios, sensitive seismic data that represents the core intellectual property of a corporation can be moved to the cloud for processing, but with the protections of encrypted-in-use technology.
Another significant application is the creation of a trusted distributed network among a set of untrusted participants. Confidential Consortium Blockchain Framework enables highly scalable and confidential blockchain networks to reside in a public cloud infrastructure and to reap the broad benefits of Azure. Permissioned blockchain networks, that rely on trusted nodes, called validators, to validate transactions, benefit of the Azure confidential compute platform to better verify the chain of trust in a decentralized network. This simplifies consensus and, eventually, transaction processing for high throughput and confidentiality.
For this to happen, applications running in an enclave need:
  1. A common cross-platform API that is consistent across TEEs, both hardware and software-based, so that confidential application code is portable.
  2. Attestation: Verifying the identity of code running in TEEs is necessary to establish trust with that code and determine whether to release protected data to it.
Open Enclave SDK
The Open Enclave SDK is an open source project targeted at creating a single unified enclave abstraction for developers to build TEE-based applications in C and C++ languages. The Open Enclave SDK supports an API set that allows developers to build their application once, and deploy it on multiple platforms (Linux and Windows) and environments, from cloud to hybrid to edge. The Open Enclave SDK is completely open source! The intention is to be a non-vendor specific solution that supports enclave applications both on Linux and Windows platforms. The current implementation of Open Enclave is built on Intel SGX, other enclave architectures, such as solutions from AMD or ARM, will be added in the future.

Go Back