This blog was updated on 11/17/20.
Protecting data and code that’s in use inside a processor’s memory is the new frontier for comprehensive data security in the cloud. Intel and Microsoft are both premier members of the Confidential Computing Consortium, which aims to accelerate the adoption of Trusted Execution Environment (TEE) technologies and standards. Intel Software Guard Extensions (Intel SGX) is a hardware-based TEE that allows developers to create security-enabled enclaves—small, trusted environments within a CPU that can execute code in a way that is not accessible by an operating system.
Working closely with Intel, Microsoft launched confidential computing in August 2017, and Azure became the first major cloud provider to announce general availability of confidential computing based on Intel SGX, in April 2020. The new Microsoft Azure DCsv2-series virtual machine (VM) runs on Intel® Xeon® E processors and helps protect the confidentiality and integrity of customer data while it is in use.
“Customers are concerned about security protections whether they be from malicious users on the inside or hackers on the outside. Any point where the data is not protected is an opportunity for those attacks to occur. This is why it’s so important to make sure that the data is protected not just at rest and in flight but even when it’s running inside the processor.”
–Corey Sanders, Corporate VP, Azure Compute at Microsoft
Microsoft Azure confidential computing uses Intel SGX to protect data during that critical moment of processing when the data is not encrypted. This helps improve security to support use cases such as the following:
- Federated (machine) learning. Federated learning is a distributed approach to machine learning (ML) that enables multiple organizations to collaborate on ML projects. Confidential computing with Intel SGX is ideal for federated learning solutions because the enclaves are remotely attestable, meaning that one party can cryptographically verify that an enclave on another party’s computer is running trusted, unmodified code.
- Confidential containers and VMs. In multitenant cloud environments such as Microsoft Azure, customers worry that containers and VMs might be open to attack. Support for trusted execution through Intel SGX provides stronger assurance that container and VM processes are protected from outside attacks.
- Confidential databases. Confidential computing with Intel SGX can be used to increase the protection of databases on Microsoft Azure through isolation of sensitive data or isolation of cryptographic keys.
- Blockchain. Intel SGX helps Microsoft Azure increase customer privacy and security for blockchain transaction processing, smart contracts, and key storage.
Surveys show that the top cloud security concern of cybersecurity professionals is data loss and leakage. Microsoft Azure sees the higher level of security and privacy provided by confidential computing built on Intel SGX as a major opportunity to ease customer concerns about protecting the confidentiality of data in the cloud.