News

Azure Confidential Computing Project Getting Added Partner Support

• By Kurt Mackie
• 05/10/2018

Microsoft this week offered a progress report on its Azure confidential computing project, mostly highlighting its partner efforts.

Azure confidential computing aims to ensure that data will be protected "while it's processed in the cloud," according to a Wednesday announcement by Mark Russinovich, chief technology officer of Microsoft Azure. The effort is still at the preview stage since being introduced back in September. The goal of the project is to add assurances for organizations that are reticent about placing data and code on external infrastructures, including Azure public datacenters.

The Azure confidential computing project is still at its initial stages, but Microsoft sees it as becoming "the new norm for all data processing, both in the cloud and on the edge," according to Russinovich.

Microsoft has previously explained that Azure encrypts data in transit and at rest. Azure confidential computing would add protections for processed data, specifically against malicious insiders with administrative access, malware, external hackers and any third parties that may have access.

Microsoft is aligning Azure confidential computing with its "Confidential Cloud vision," which has the following characteristics, according to Russinovich:

• Top data breach threats are mitigated
• Data is fully in the control of the customer regardless of whether in rest, transit, or use and even though the infrastructure is not
• Code running in the cloud is protected and verifiable by the customer
• Data and code are opaque to the cloud platform, or put another way the cloud platform is outside of the trusted computing base

Confidential computing uses a Trusted Execution Environment (TEE) or "enclave," as manifested in either software or hardware, to prevent outside parties from viewing data stored on Azure. The software TEE part is known as Microsoft's Virtualization Based Security solution, formerly called "Virtual Secure Mode," based on the Hyper-V hypervisor. The hardware TEE part is Intel's SGX solution based on the CPU.

In updating the Azure confidential computing efforts, Microsoft announced this week that it is now using Intel Xeon processors with SGX technology in its Azure East U.S. region. It's also "introducing a new family of virtual machines (DC-Series)" that uses this Intel technology.

In addition, Microsoft is working with partners to support a consistent API for TEEs across both Linux and Windows "so that confidential application code is portable." Right now, it's possible to build C or C++ applications using Intel's SGX software development kit.

Microsoft also is partnering with chip vendors to verify or "attest" code running in TEEs, although it didn't provide details.

Confidential computing efforts also are associated with Microsoft's "Confidential Consortium Blockchain Framework" and the SQL Server Always Encrypted feature. Microsoft is also working on support for "secure multiparty machine learning scenarios," and other research to "harden" TEE applications, Russinovich explained.

Signing up for the Azure confidential computing preview entails filling out a survey. It's accessed at this page.