
close
close
advertisment
In this Ask the Admin, I’ll provide a brief overview of Microsoft’s Azure Confidential Computing technology and look at how it might help persuade otherwise hesitant organizations to move sensitive data to the cloud.
Persuading organizations to move sensitive data, such as Personally Identifiable Information (PII) and financial data, to the public cloud is a challenge that faces cloud service providers (CSPs). Businesses are reluctant to hand over data where it might be compromised by insiders with administrative privileges to the CSP’s infrastructure or by hackers that exploit vulnerabilities in hypervisors or operating systems. And because most public clouds are multitenant, i.e. you share the infrastructure with other customers, you don’t have the assurance that data is always under your control.
advertisment
Microsoft is hoping to address many of these concerns with Azure Confidential Computing (ACC), a new initiative that is currently accessible via an Early Access Program. ACC is the result of four years’ research and it encrypts data that is in use. Azure already provides encryption for data at rest and over the network but data must be decrypted so that it can be processed efficiently.
Microsoft’s solution is to protect data in an enclave, or Trusted Execution Environment, as it’s being processed ‘in the clear’. Enclaves ensure that data inside cannot be viewed by anything on the outside, providing access only to authorized code. If the code is tampered with, access to the enclave is denied.
Microsoft Azure Trusted Execution Environment (Image Credit: Russell Smith)
The challenge for Microsoft is to be able to allow businesses to use TEEs without needing to change application code. There are currently two types of TEE. One is based on Microsoft’s Virtual Secure Mode (VSM), which is part of Hyper-V in Windows 10 and Windows Server 2016. VSM is a software-based TEE that prevents local and cloud service administrators viewing the contents of a VSM enclave or modifying its execution. A hardware-based TEE is also available for customers that don’t want to trust Microsoft or the Azure cloud. Microsoft will be offering the first Intel Software Guard Extensions (SXG) servers in a public cloud. Intel SXG enclaves remain protected even when the BIOS, OS, Virtual Machine, and drivers are compromised and can guard against remote attestation challenges. Microsoft will make other TEEs available in Azure in the future.
Enclaves are not new and Microsoft already uses them to protect the Azure fabric. Microsoft also recently announced that its Always Encrypted feature for Azure SQL Database and SQL Server now uses enclaves to process sensitive data.
advertisment
There is no doubt that security in the cloud is a major concern for many organizations, especially those that are subject to regulatory compliance, such as finance and healthcare. But there are also implications for artificial intelligence (AI) and the Internet of Things (IoT), where accessing sensitive data is key to providing the services of the future.
Most security compromises are down to poor access control and failure to implement best practices, so the human factor in managing security will inevitably lead to data breaches. Subsequently, defense-in-depth measures are necessary to make sure there are multiple protections in place.
The encryption of data in use will be a necessary addition if Azure is to provide a platform that can rival Amazon and Google. But security isn’t the only concern, as the value proposition of the cloud isn’t always a known conclusion. But if Microsoft can continue to address both security and cost issues, Azure is likely to continue its strong march forward against Amazon.
Hopefully you got to see Mark Russinovich’s session at Ignite, Inside Microsoft Azure Datacenter Hardware and Software Architecture, which will provide an insight into Azure’s data center architecture and implementation innovations.
Follow Russell on Twitter @smithrussell.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Cloud Computing
Use Azure ExpressRoute Private Peering & Azure Virtual WAN to Connect Privately to Microsoft 365
Apr 21, 2022 | Flo Fox
Microsoft to Make Changes to Cloud Licensing Restrictions after Customer Complaints
Apr 18, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group