News

Microsoft Previews New Azure Security Services

In a move aimed at reassuring organizations wary of placing their data and code on outside infrastructure, Microsoft this week released previews of two new Azure security solutions.

One, called Azure "confidential computing," provides protections for data when it gets processed "in the clear" from Microsoft's datacenters, according to an announcement by Mark Russinovich, chief technology officer for Azure. Microsoft already provides encryption to protect data when it's stored "at rest" on Azure infrastructure.

The second is Azure Active Directory Managed Service Identity, a free resource for developers so that they don't have to deal with code credentials when tapping Azure services.

Confidential Computing Preview
Azure confidential computing protects Azure data against the following possible threats, according to Microsoft's announcement:

  • Malicious insiders with administrative privilege or direct access to hardware on which it is being processed
  • Hackers and malware that exploit bugs in the operating system, application, or hypervisor
  • Third parties accessing it without their consent

Typically, Azure datacenters already have internal physical security for the data that's housed there, but the confidential computing element uses a so-called Trusted Execution Environment (TEE) to prevent outside parties from viewing the data stored on Azure, "even with a debugger," Microsoft's announcement claimed. The TEE, which Microsoft also refers to as an "enclave," will check code trying to access the data and will disable operations "if the code is altered or tampered."

Microsoft currently has two TEE options for the confidential computing scheme. There's a pure software version known as "Virtual Secure Mode" that uses Hyper-V in Windows 10 and Windows Server 2016. The other TEE option is the hardware-based Intel Software Guard Extensions (SGX) solution, which leverages the CPU. Microsoft is working with other parties as well to develop other TEEs.

The TEE or enclave technology is already being used as part of Microsoft's Coco Framework for blockchain electronic ledgers, and that same technology protects "Azure SQL Database and SQL Server," too. It's an "enhancement of our Always Encrypted capability," Russinovich explained. For those who like diagrams, Russinovich explained the Coco Framework in this Microsoft Channel 9 video.

Confidential security is currently just available for organizations that are part of Microsoft's "Early Access" program, so it's still at the test level. They have to fill out a survey here to join the program.

Managed Service Identity Preview
The preview of Azure AD Managed Service Identity is designed as an aid for developers such that they won't have to manage security credentials when using code with various Microsoft Azure services. It creates a so-called "bootstrap identity." Using it, developers don't have to directly access the credentials stored in the Azure Key Vault or put credentials in code, Microsoft's announcement explained.

Microsoft currently offers Managed Service Identity previews for different Azure services, including Azure Virtual Machines (both Linux and Windows), as well as the Azure App Service and Azure Functions. The previews are rolling out gradually worldwide, so they may not be immediately available, a Microsoft document noted.

Microsoft's announcement promised that the Azure AD Managed Service Identity is being groomed to be part of the free version of Azure AD subscriptions, so there'll be no cost for using it.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.