News

Microsoft Lines Up Support for Azure Confidential Computing

• By Kurt Mackie
• May 10, 2018

Microsoft this week put the spotlight on its partners' efforts around its Azure confidential computing project.

In preview since last September, Azure confidential computing is a method for ensuring that data remains protected "while it's processed in the cloud," according to a blog post Wednesday by Mark Russinovich, chief technology officer of Microsoft Azure. The goal of the project is to reassure organizations that are reticent about placing data and code on external infrastructures, including Azure public datacenters.

The Azure confidential computing project is still at its initial stages, but Microsoft sees it as becoming "the new norm for all data processing, both in the cloud and on the edge," according to Russinovich.

Microsoft has previously explained that Azure encrypts data in transit and at rest. Azure confidential computing would add protections for processed data, specifically against malicious insiders with administrative access, malware, external hackers and any third parties that may have access.

Microsoft is aligning Azure confidential computing with its "Confidential Cloud vision," which has the following characteristics, according to Russinovich:

• Top data breach threats are mitigated
• Data is fully in the control of the customer regardless of whether in rest, transit, or use and even though the infrastructure is not
• Code running in the cloud is protected and verifiable by the customer
• Data and code are opaque to the cloud platform, or put another way the cloud platform is outside of the trusted computing base

Confidential computing uses a Trusted Execution Environment (TEE) or "enclave," as manifested in either software or hardware, to prevent outside parties from viewing data stored on Azure. The software TEE part is known as Microsoft's Virtualization Based Security solution, formerly called "Virtual Secure Mode," based on the Hyper-V hypervisor. The hardware TEE part is Intel's SGX solution based on the CPU.

In updating the Azure confidential computing efforts, Microsoft announced this week that it is now using Intel Xeon processors with SGX technology in its Azure East U.S. region. It's also "introducing a new family of virtual machines (DC-Series)" that uses this Intel technology.

In addition, Microsoft is working with partners to support a consistent API for TEEs across both Linux and Windows "so that confidential application code is portable." Right now, it's possible to build C or C++ applications using Intel's SGX software development kit.

Microsoft also is partnering with chip vendors to verify or "attest" code running in TEEs, although it didn't provide details.

Confidential computing efforts also are associated with Microsoft's "Confidential Consortium Blockchain Framework" and the SQL Server Always Encrypted feature. Microsoft is also working on support for "secure multiparty machine learning scenarios," and other research to "harden" TEE applications, Russinovich explained.

Signing up for the Azure confidential computing preview entails filling out a survey. It's accessed at this page.