News

Microsoft Expands Previews of Azure Confidential Computing and DC-Series VMs

• By Kurt Mackie
• 10/11/2018

Microsoft on Wednesday announced a public preview of Azure confidential computing, which previously had been at the more restricted "Early Access" preview stage about a year ago.

Azure confidential computing is part of Microsoft's "Confidential Cloud" security approach. This approach aims to gain the trust of organizations to use Microsoft's Azure datacenter infrastructure ("the cloud") for their operations. The new confidential computing preview adds security while Azure customer data is in use. Microsoft already provides security for Azure customer data while in transit and "at rest."

Azure confidential computing represents "the final piece to enable data protection through its lifecycle whether at rest, in transit, or in use," explained Christine Avanessians, a principal program manager for Azure, in Microsoft's announcement.

Azure DC-Series
Avanessians simultaneously announced a public preview of the Azure DC-Series virtual machines in "US East and Europe West" Azure regions. The DC-Series virtual machines are related to Azure confidential computing because they support "hardware-based Trusted Execution Environments" (TEEs), specifically right now using Intel Xeon processors with Intel's Software Guard Extensions (SGX) protection. TEEs, also called "enclaves," are a key element because they are used to prevent outside parties from seeing data stored on Azure infrastructure.

The previews of the Azure DC-Series are "the first set of Generation 2 virtual machines" available on Azure, Avanessians noted. Microsoft worked with its partners to enable support for Ubuntu Server 16.04 and Windows Server 2016 Datacenter with these Generation-2 VMs, she added. Custom images aren't supported yet.

Testers get access to these Azure DC-Series VMs though the Azure Marketplace, according to a description by Aidan Finn, a Microsoft Most Valuable Professional. He outlined that approach in a blog post.

In addition to the hardware-based TEEs, Microsoft offers a software version for use with Azure confidential computing. The software version, based on the Hyper-V hypervisor, is called "Virtualization Based Security" (formerly known as "Virtual Secure Mode"), as Microsoft has previously explained.

Open Enclave SDK
On top of the Azure confidential computing and DC-Series VM previews, Avanessians announced that Microsoft has published its Open Enclave software development kit (SDK) as open source code on GitHub. Developers can use the APIs in the Open Enclave SDK, currently at version 0.4, to build "enclave applications." The SDK currently supports "Intel SGX technology for C/C++ applications, using mBedTLS," she indicated. The SDK will get future support for Arm TrustZone, Windows and "additional runtimes," she promised.

The aim of the Open Enclave SDK is to support building TEE-based applications across platforms.

"As TEE technology matures and as different implementations arise, the Open Enclave SDK is committed to supporting an API set that allows developers to build once and deploy on multiple technology platforms, different environments from cloud to hybrid to edge, and for both Linux and Windows," the Open Enclave's landing page explained.

Microsoft's announcement described some early partner-built applications that are leveraging the Azure confidential computing platform. The Royal Bank of Canada is testing the ability to "share and analyze data across different institutions, while maintaining security and confidentiality." The company Ockam is using Azure confidential computing capabilities to support a public blockchain solution.