Cloud security: Microsoft Azure's SGX VMs hit GA, Google's Shielded VM is now default

Google and Microsoft make headway in bringing secure cloud computing to customers handling regulated data.
Written by Liam Tung, Contributing Writer

Microsoft and Google have announced updates to their respective virtual-machine (VM) instances for highly confidential information to be processed in Microsoft Azure and Google Compute Engine.  

Microsoft has moved its Azure DCsv2-Series VMs to general availability. The VMs feature hardware-based trusted execution environments (TEE) that are based on Intel's SGX or Software Guard eXtensions. 

TEEs – also known as secure enclaves – are isolated from the host operating system and hypervisor, and are located in a part of the CPU with its own memory. 

SEE: Cloud v. data center decision (ZDNet special report) | Download the report as a PDF (TechRepublic)

In theory, this means that a hypervisor and people with physical access to cloud servers, such as a cloud admin or workers in a data center, can't access data actively being processed in a TEE. It offers an additional protection to encryption of data at rest and in transit. 

While SGX makes it very difficult to run malware in a secure enclave, researchers have found ways a person with physical access can tamper with data stored inside SGX.     

The feature is likely to be of interest to private sector and government organizations that process financial data, healthcare and intelligence data. 

Microsoft Azure chief technology officer Mark Russinovich says the feature can, for example, be used to securely blend transaction data from multiple banks to detect fraud and money laundering. 

"By combining the scalability of the cloud and ability to encrypt data while in use, new scenarios are possible now in Azure, like confidential multi-party computation where different organizations combine their datasets for compute-intensive analysis without being able to access each other's data," Russinovich said. 

He picked a few choice customers that are using Azure's so-called "confidential computing", including Signal, which is widely considered to be the most secure end-to-end messaging app. 

Jim O'Leary, VP of engineering at Signal, said his company uses Azure confidential computing to provide scalable, secure environments for its services. 

Another is cryptocurrency company MobileCoin, which in a 2017 white paper said it uses Intel SGX but doesn't rely solely on it for maintaining transaction privacy. 

"Confidential computing rides the edge between what we can imagine and what we can protect. The praxis we've experienced with Azure allows us to commit to systems that are integral, high trust, and performant," said MobileCoin CEO Joshua Goldbard. 

SEE: Google open sources Private Join and Compute, a tool for sharing confidential data sets

Google meanwhile this week made its Unified Extensible Firmware Interface (UEFI) and Shielded VM the default for all Google Compute Engine users for free. The feature helps ensure that VMs boot with a verified bootloader and kernel.  

The Shielded VM offers protection from malicious guest system firmware, UEFI extensions, and drivers; a persistent boot and kernel compromise in the guest OS; and VM-based secret exfiltration and replay. 

Shielded VM is available for customers using CentOS, Google's Container-Optimized OS, CoreOS, Debian, RHEL, Ubuntu, SUSE Linux Enterprise Server, Windows Server, and SQL Server on Windows Server images.  

Google notes that VM-based Google Cloud Services are using Shielded VM, including Cloud SQL, Google Kubernetes Engine, Kaggle, and Managed Service for Microsoft Active Directory.

Editorial standards