News

Microsoft Previews Azure Confidential Computing and Managed Service Identity Security Protections

• By Kurt Mackie
• 09/15/2017

Microsoft this week announced previews of two new Microsoft Azure security measures that possibly add assurances for organizations wary of trusting their data and code on outside infrastructure.

One of them is called Azure "confidential computing," which provides protections for data when it gets processed "in the clear" from Microsoft's datacenters, according to an announcement by Mark Russinovich, chief technology officer for Microsoft Azure. Microsoft already provides encryption to protect data when it's stored "at rest" on Azure infrastructure.

The other security measure announced at preview is Azure Active Directory Managed Service Identity, a free resource for developers so that they don't have to deal with code credentials when tapping Azure services.

Confidential Computing Preview
Azure confidential computing protects Azure data against the following possible threats, according to Microsoft's announcement:

• Malicious insiders with administrative privilege or direct access to hardware on which it is being processed
• Hackers and malware that exploit bugs in the operating system, application, or hypervisor
• Third parties accessing it without their consent

Typically, Azure datacenters already have internal physical security for the data that's housed there, but the confidential computing element uses a so-called Trusted Execution Environment (TEE) to prevent outside parties from viewing the data stored on Azure, "even with a debugger," Microsoft's announcement claimed. The TEE, which Microsoft also refers to as an "enclave," will check code trying to access the data and will disable operations "if the code is altered or tampered."

Microsoft currently has two TEE options for the confidential computing scheme. There's a pure software version known as "Virtual Secure Mode" that uses Hyper-V in Windows 10 and Windows Server 2016. The other TEE option is the hardware-based Intel Software Guard Extensions (SGX) solution, which leverages the CPU. Microsoft is working with other parties as well to develop other TEEs.

The TEE or enclave technology is already being used as part of Microsoft's Coco Framework for blockchain electronic ledgers, and that same technology protects "Azure SQL Database and SQL Server," too. It's an "enhancement of our Always Encrypted capability," Russinovich explained. For those who like diagrams, Russinovich explained the Coco Framework in this Microsoft Channel 9 video.

Confidential security is currently just available for organizations that are part of Microsoft's "Early Access" program, so it's still at the test level. They have to fill out a survey here to join the program.

Managed Service Identity Preview
The preview of Azure AD Managed Service Identity is designed as an aid for developers such that they won't have to manage security credentials when using code with various Microsoft Azure services. It creates a so-called "bootstrap identity." Using it, developers don't have to directly access the credentials stored in the Azure Key Vault or put credentials in code, Microsoft's announcement explained.

Microsoft currently offers Managed Service Identity previews for different Azure services, including Azure Virtual Machines (both Linux and Windows), as well as the Azure App Service and Azure Functions. The previews are rolling out gradually worldwide, so they may not be immediately available, a Microsoft document noted.

Microsoft's announcement promised that the Azure AD Managed Service Identity is being groomed to be part of the free version of Azure AD subscriptions, so there'll be no cost for using it.