Menu

Blogchain

A blog about Blockchain technology

Microsoft announced Azure Confidential Computing

 
Microsoft has recently announced that Azure is the first cloud to offer new data security capabilities with a collection of features and services called Azure Confidential Computing. Confidential computing offers a protection that to date has been missing from public clouds, that is encryption of data while in use. Not just data encryption at rest and in transit, but also when actually used, i.e. in memory, by software applications. This means that data can be processed in the cloud with the assurance that it is always under customer control.
 
Confidential Computing
Data breaches are virtually daily news events, with attackers gaining access to sensitive information, financial data, and corporate intellectual property. While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data. Despite advanced cybersecurity controls and mitigations, some customers are reluctant to move their most sensitive data to the cloud for fear of attacks against their data when it is in-use. With confidential computing, they can move the data to Azure knowing that it is safe not only at rest, but also in use from the following threats:
  • Malicious insiders with administrative privilege or direct access to hardware on which it is being processed.
  • Hackers and malware that exploit bugs in the operating system, application, or hypervisor.
  • Third parties accessing it without their consent.

Confidential computing ensures that when data is “in the clear”, which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE), also known as an enclave. TEEs ensure there is no way to view data from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it.

 
With Azure Confidential Computing, Microsoft is developing a platform that enable developers to take advantage of different TEEs without having to change their code. Initial support for TEEs is planned for:
  • Virtual Secure Mode: VSM is a software-based TEE that is implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code running on the computer, as well as local administrators and cloud service administrators from viewing the contents of the VSM enclave or modifying its execution.
  • Intel SGX: Intel’s hardware-based TEE allows customers that want their trust model to not run on Microsoft Windows, by providing confidential computing at hardware level.
 
Always Encrypted
Microsoft already uses enclaves to protect everything from blockchain financial operations, to data stored in SQL Server, and its own infrastructure within Azure. In the blockchain space, Microsoft’s confidential computing effort is known as the Coco Framework, an open-source system that enables high-scale, confidential blockchain networks that meet all key enterprise requirements. The Coco framework achieves this by designing specifically for confidential consortiums, where nodes and actors are explicitly declared and controlled. The use of this same technology implements encryption-in-use for Azure SQL Database and SQL Server. This is an enhancement of the Always Encrypted capability, which ensures that sensitive data within a SQL database can be encrypted at all times without compromising the functionality of SQL queries. Always Encrypted achieves this by delegating computations on sensitive data to an enclave, where the data is safely decrypted and processed.
In addition to SQL Server, Microsoft expects a broad application of Azure confidential computing across many industries including finance, healthcare, AI, etc. In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE. Healthcare organizations can collaborate by sharing their private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets without risk of data being leaked to other organizations. In oil and gas, and IoT scenarios, sensitive seismic data that represents the core intellectual property of a corporation can be moved to the cloud for processing, but with the protections of encrypted-in-use technology.
 
Early Access Program
Customers can try out Azure confidential computing through an Early Access program, which includes access to Azure VSM and SGX-enabled virtual machines, as well as tools, SDKs, and Windows and Linux support to enable any application in the cloud to protect its data while in use.
To sign up for the Azure confidential computing Early Access program, please submit your request by filling this form: https://aka.ms/azurecc
 

Go Back

Comment