Microsofts Azure Confidential Computing Encrypts Data in Use

Early Access program under way for new Azure cloud security feature.

Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.
The new collection of features and services, called Azure confidential computing, is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.
Confidential computing lets users process data in the cloud, knowing its under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.
Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.
While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data, says Azure CTO Mark Russinovich in a
blog post
.
Data has to be in the clear for efficient processing. In confidential computing, its stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.
Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.
Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.
Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which its processed. Confidential computing also protects against third parties accessing data without the owners consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.
The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.
VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.
The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they dont want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.
Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE, says Russinovich.
Healthcare organizations, for example, could securely share private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets.
Microsoft customers interested in confidential computing can refer to
Microsofts Early Access program
, which includes access to Azure VSM, SGX-enabled virtual machines, tools, SDKs, and Windows and Linux support.
Related Content:
Cloud Securitys Shared Responsibility Is Foggy
Encryption: A New Boundary for Distributed Infrastructure
10 Ways to Prevent Your Mobile Devices From Becoming Bots
20 Questions to Help Achieve Security Program Goals
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News
▸ DDoS Attack Bandwidth Spikes 718% ◂ Discovered: 27/12/2024 Category: security	▸ Adobe ColdFusion vulnerabilities lead to breach of web hosting provider. ◂ Discovered: 27/12/2024 Category: security	▸ Enhancing Data Security with Improved Classification]): 53 characters ◂ Discovered: 27/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsofts Azure Confidential Computing Encrypts Data in Use