Published: Sat, September 16, 2017
IT | By Lester Massey

Microsoft Azure Confidential Computing keeps your business data secret

Microsoft Azure Confidential Computing keeps your business data secret

Despite cloud platforms becoming a more attractive place for businesses to store their data, research has shown that many companies are still concerned about using them because they are anxious their customer data and privacy is put at risk.

Known as Azure Confidential Computing, the service is now in an early access test and aims to provide security for cloud data while it is in use by cloud applications. This means that data can be processed in the cloud with the assurance that it is always under customer control.

The culmination of an over four year effort between the Azure, Windows, Microsoft Research, and Developer Tools teams in Redmond, as well as Intel, the software and hardware tool set referred to as Azure confidential computing seeks to alleviate the concerns of those who've yet to move their data to the cloud, for fear of breaches.

Azure confidential computing can also protect Microsoft too. Confidential computing platform is aimed at reassuring customers that their data will be protected from hacking, spying, and secret warrants & subpoenas. Those companies were storing the data on their own networks rather than with the big cloud providers such as Microsoft, Alphabet Inc.'s Google and market leader Amazon.com Inc.

Confidential computing ensures that when data is "in the clear", which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE - also known as an enclave), an example of which is shown in the figure below. Even in case of an attack, and even if the hacker gains access to the main VM, the data inside the VSM TEE will still remain out of reach.


Azure Confidential Computing blocks operations triggered by code that is altered or tampered with, shutting down the entire TEE for good measure.

Regarding Trusted Execution Environments (TEEs), these are created on the platform in such a way as to allow developers to use their existing code, without the need to make any changes.

There will be two modes to the feature - one built on virtual machines, and the other using Software Guard Extensions (SGX). An attacker would have to compromise Hyper-V itself to break through this isolation. Intel unveiled this sort of data-enclave capability for desktop machines in 2015, but had not planned to offer it for the servers that underpin cloud networks for several years.

The new service also means that Microsoft won't have the capability to turn over unencrypted data in response to government warrants and subpoenas without customer involvement, an issue at the heart of a current Microsoft lawsuit against the USA government fighting the requirement to turn over client data, sometimes without the customer's knowledge. We're working with Intel and other hardware and software partners to develop additional TEEs and will support them as they become available.

Like this: