Microsoft today announced Azure confidential computing, an industry first solution to secure data in the cloud even when it is in use. Cloud platforms including Azure have been offering encryption of data when it is getting stored and transmitted. What Azure confidential computing offers is that encryption of data while in use. Microsoft Azure team, along with Microsoft Research, Intel, Windows, and our Developer Tools group, have been working on this secure platform for over four years. Today, Microsoft is making it available to customers via an Early Access program.
Here’s how it works:
Confidential computing ensures that when data is “in the clear,” which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE – also known as an enclave), an example of which is shown in the figure below. TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it.
For now, Microsoft is planning to support two Trusted Execution Environment (TEEs), Virtual Secure Mode and Intel SGX. Virtual Secure Mode is software based solution offered by Hyper-V in Windows 10 and Windows Server 2016. Obviously, Intel SGX is hardware based and it is offered from first SGX-capable servers in the public cloud.
Microsoft is already using Azure confidential computing platform for running their own infrastructure, blockchain financial operations and more. And from today, they are expanding it to Azure SQL Database and SQL Server. You can sign-up for early access program here.