Early Access program under way for new Azure cloud security feature.
Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.
The new collection of features and services, called Azure “confidential computing,” is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.
Confidential computing lets users process data in the cloud, knowing it’s under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.
Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.
“While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data,” says Azure CTO Mark Russinovich in a blog post.
Data has to be “in the clear” for efficient processing. In confidential computing, it’s stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.
Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.
Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.
Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which it’s processed. Confidential computing also protects against third parties accessing data without the owner’s consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.
The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.
VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.
The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they don’t want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.
Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. “In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE,” says Russinovich.