Microsoft Commercially Releases Azure Attestation Service
Microsoft announced on Friday that its Azure Attestation service is now commercially released, or "generally available."
The Azure Attestation service is part of Microsoft's confidential computing efforts that provide technical protections and assurances on the security of using of cloud-based services. In particular, what gets attested with the Azure Attestation service is the security of operations that get processed in memory on virtual machines.
Adding security assurances on the processing of data is deemed by Microsoft to be the last piece in the cloud security puzzle. Azure services already have protections for data when they are in transit and at rest.
The technical protections enabled by confidential computing are based on Trusted Execution Environment (TEE) components, which are also called "enclaves." They can be either hardware- or software-based. Intel's Software Guard Extensions (SGX) is an example of a hardware-based TEE, while Microsoft's Hyper-V software-based TEE solution is called "Virtualization-Based Security."
A TEE will check the code that's trying to access data running on the service. It'll disable the operations if the code is found to have been altered or tampered with. This sort of protection is seen as an assurance against malicious insiders with administrative access privileges. It's also an assurance against vulnerabilities in an operating system, hypervisor or application that may get tried by attackers. A third use case is to protect the intellectual property of code that gets processed in the cloud.
Cryptographic tokens are used with the Azure Attestation service to provide such assurances. Here's how the announcement described that process:
Azure Attestation receives evidence from an environment, validates it with Azure security standards and user-defined policies, and produces cryptographic proofs (termed as attestation tokens) for claims-based applications. These tokens enable relying parties to gain confidence in trustworthiness of the environment, integrity of the software binaries running inside it and make trust-based decisions to release sensitive data to it. The tokens generated by Azure Attestation can be consumed by services in scenarios such as enclave validation, secure key sharing, confidential multi-party computation etc.
Microsoft is claiming that the Azure Attestation service will provide "a unified solution for attesting" and it'll get used across multiple Azure services, including "Confidential Containers, Confidential VMs, IOT edge devices and more."
Microsoft began previewing its Azure confidential computing efforts more than four years ago. It's not been alone in its efforts. In 2019, Microsoft joined the Linux Foundation's Confidential Computing Consortium, which also included participation from Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Red Hat, Swisscom and Tencent.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.