News

Microsoft Previews New Azure Security Services

In a move aimed at reassuring organizations wary of placing their data and code on outside infrastructure, Microsoft this week released previews of two new Azure security solutions.

One, called Azure "confidential computing," provides protections for data when it gets processed "in the clear" from Microsoft's datacenters, according to an announcement by Mark Russinovich, chief technology officer for Azure. Microsoft already provides encryption to protect data when it's stored "at rest" on Azure infrastructure.

The second is Azure Active Directory Managed Service Identity, a free resource for developers so that they don't have to deal with code credentials when tapping Azure services.

Confidential Computing Preview
Azure confidential computing protects Azure data against the following possible threats, according to Microsoft's announcement:

  • Malicious insiders with administrative privilege or direct access to hardware on which it is being processed
  • Hackers and malware that exploit bugs in the operating system, application, or hypervisor
  • Third parties accessing it without their consent

Typically, Azure datacenters already have internal physical security for the data that's housed there, but the confidential computing element uses a so-called Trusted Execution Environment (TEE) to prevent outside parties from viewing the data stored on Azure, "even with a debugger," Microsoft's announcement claimed. The TEE, which Microsoft also refers to as an "enclave," will check code trying to access the data and will disable operations "if the code is altered or tampered."

Microsoft currently has two TEE options for the confidential computing scheme. There's a pure software version known as "Virtual Secure Mode" that uses Hyper-V in Windows 10 and Windows Server 2016. The other TEE option is the hardware-based Intel Software Guard Extensions (SGX) solution, which leverages the CPU. Microsoft is working with other parties as well to develop other TEEs.

The TEE or enclave technology is already being used as part of Microsoft's Coco Framework for blockchain electronic ledgers, and that same technology protects "Azure SQL Database and SQL Server," too. It's an "enhancement of our Always Encrypted capability," Russinovich explained. For those who like diagrams, Russinovich explained the Coco Framework in this Microsoft Channel 9 video.

Confidential security is currently just available for organizations that are part of Microsoft's "Early Access" program, so it's still at the test level. They have to fill out a survey here to join the program.

Managed Service Identity Preview
The preview of Azure AD Managed Service Identity is designed as an aid for developers such that they won't have to manage security credentials when using code with various Microsoft Azure services. It creates a so-called "bootstrap identity." Using it, developers don't have to directly access the credentials stored in the Azure Key Vault or put credentials in code, Microsoft's announcement explained.

Microsoft currently offers Managed Service Identity previews for different Azure services, including Azure Virtual Machines (both Linux and Windows), as well as the Azure App Service and Azure Functions. The previews are rolling out gradually worldwide, so they may not be immediately available, a Microsoft document noted.

Microsoft's announcement promised that the Azure AD Managed Service Identity is being groomed to be part of the free version of Azure AD subscriptions, so there'll be no cost for using it.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Starts Countdown to Dynamics GP End-of-Support

    Dynamics GP, Microsoft's venerable enterprise resource planning (ERP) solution for midsized businesses, is set to lose support in four years.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Windows Recall Preview Starts Rolling Out with Windows 11 24H2

    Microsoft on Tuesday began rolling out Windows 11 version 24H2, describing the update as a "full OS swap that contains new foundational elements required to deliver transformational Al experiences and exceptional performance."

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.