Microsoft updates progress on Azure confidential computing project
Microsoft updated progress on its Azure confidential computing project, which aims to add assurances for organizations uncomfortable about placing data and code on external infrastructures, including Azure public datacenters.
With Azure confidential computing, data will be protected "while it's processed in the cloud," according to recent announcement by Mark Russinovich, chief technology officer of Microsoft Azure.
The effort is still at the preview stage since being introduced back in September, but Microsoft sees it as becoming "the new norm for all data processing, both in the cloud and on the edge," according to Russinovich.
Microsoft has previously explained that Azure encrypts data in transit and at rest. Azure confidential computing would add protections for processed data, specifically against malicious insiders with administrative access, malware, external hackers and any third parties that may have access.
Microsoft is aligning Azure confidential computing with its "Confidential Cloud vision," which has the following characteristics, according to Russinovich:
- Top data breach threats are mitigated
- Data is fully in the control of the customer regardless of whether in rest, transit, or use and even though the infrastructure is not
- Code running in the cloud is protected and verifiable by the customer
- Data and code are opaque to the cloud platform, or put another way the cloud platform is outside of the trusted computing base
Confidential computing uses a Trusted Execution Environment (TEE) or "enclave," as manifested in either software or hardware, to prevent outside parties from viewing data stored on Azure. The software TEE part is known as Microsoft's Virtualization Based Security solution, formerly called "Virtual Secure Mode," based on the Hyper-V hypervisor. The hardware TEE part is Intel's SGX solution based on the CPU.
In updating the Azure confidential computing efforts, Microsoft announced this week that it is now using Intel Xeon processors with SGX technology in its Azure East U.S. region. It's also "introducing a new family of virtual machines (DC-Series)" that uses this Intel technology.
In addition, Microsoft is working with partners to support a consistent API for TEEs across both Linux and Windows "so that confidential application code is portable." Right now, it's possible to build C or C++ applications using Intel's SGX software development kit.
Microsoft also is partnering with chip vendors to verify or "attest" code running in TEEs, although it didn't provide details.
Confidential computing efforts also are associated with Microsoft's "Confidential Consortium Blockchain Framework" and the SQL Server Always Encrypted feature. Microsoft is also working on support for "secure multiparty machine learning scenarios," and other research to "harden" TEE applications, Russinovich explained.
Signing up for the Azure confidential computing preview entails filling out a survey. It's accessed at this page.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.