Microsoft has opened an early access program for a new range of Azure security features it calls "confidential computing", which protects data even from staff access with access to hardware.
The new service's chief data protection enhancement is to encrypt data while it's in use, which is meant to offer greater assurance to customers that might have avoided putting their most sensitive data in a public cloud. The service is aimed at organisations, say, in finance and health, that need to share highly sensitive data.
Confidential computing focuses on hardware-based encryption to ensure that when data is required to be processed in the clear, that data sits in a secure enclave or Trusted Execution Environment (TEE). It's implementing what it calls "encryption-in-use" for Azure SQL database and SQL server, which extends existing protections that encrypt data at rest and in transit.
Microsoft is initially supporting Windows Virtual Secure Mode, a software-based TEE implemented by Hyper-V in Windows 10 and Windows Server 2016, and a hardware-based TEE on servers in Azure that support Intel's Software Guard Extensions (SGX). According to Microsoft's CTO, Mark Russinovich, these are the "first SGX-capable servers in the public cloud". It is also working with Intel to support other TEEs.
Intel offers its SGX kit to developers, which allows them to execute application code in protected memory areas. It introduced SGX with its 7th generation Intel Core processors, and Intel Xeon processor E3 v5 chips for data center servers.
"TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it," explained Russinovich.
Confidential computing is meant to shield data against threats from malicious insiders with access to hardware, external attacks that exploit bugs in the OS, application, and hypervisor, and unauthorized third-party access.
The Azure confidential computing expands on Microsoft's use of TEEs for its CoCo framework, its recently announced system for confidential blockchain networks.
It also builds on the already available Always Encrypted database engine, which allows data owners to view the data but prevents those who manage the data from doing so. This feature allows organizations to encrypt data at rest and when in use for storage in Azure.
Russinovich believes Azure confidential computing will be useful to customers sharing finance data, healthcare data, and machine learning research.
"In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE," he notes.
"Healthcare organizations can collaborate by sharing their private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets without risk of data being leaked to other organizations. In oil and gas, and IoT scenarios, sensitive seismic data that represents the core intellectual property of a corporation can be moved to the cloud for processing, but with the protections of encrypted-in-use technology."