All you need to know about Azure Confidential Computing
According to a recent announcement from the U.S. Securities and Exchange Commission (SEC) a 2016 hack is having serious implications even in the present day. According to key findings from the Global State of Information Security® Survey 2017 conducted by Pricewaterhouse Coopers, over nine billion records have been lost, stolen or compromised across several industries in the US. These figures and findings point to one thing – security breaches have become increasingly common in the digital age we live in. With existing legacy systems that seek to encrypt data at rest and in transit, there exists a certain possibility of protections being ineffective owing to the volley of computational tasks that are run on it.
To address this critical need to beef up encryption systems, Microsoft has ventured into the arena of data security by bringing to the fore Azure confidential computing. Replete with an entire new suite of features and services, Microsoft’s Azure confidential computing is a step forward in the direction of data security – it is equipped to encrypt data while in use itself. This simply means that a new layer of security is added, leading to data remaining well within customer control, without reaching the public cloud.
Here’s an overview of the line of features Microsoft’s Azure is equipped with.
Trusted Execution Environment (TEE)
Typically, Azure datacenters come with an internal physical security for data stored within the system. The element of confidential computing seeks to provide an additional Trusted Execution Environment (TEE) that works as a security layer, preventing outside parties from viewing the data stored on Azure. Commonly referred to as an “enclave”, TEE works by verifying code pertaining to each data set and disables operations in case there is an instance of hampering of code.
Presently, Microsoft supports two TEE options for the confidential computing scheme. One is an out-and-out software version is the “Virtual Secure Mode” that uses Hyper-V in Windows 10 and Windows Server 2016. The other is the hardware-based Intel Software Guard Extensions (SGX) solution, which leverages the CPU. The competitive aspect about this hardware-based solution is that it allows customers the choice of not including Azure or Microsoft and completely SGX TEEs.
It is a well-known fact Microsoft already uses enclaves to offer protection across an all-encompassing range of operations such as blockchain financing to data stored in SQL Server, and infrastructure within Azure. With Coco Framework, the extensive use of confidential computing in the realm of blockchain has been explored. Along the same lines, Azure confidential computing uses similar technology to implement encryption-in-use for Azure SQL Database and SQL Server. As an extension to the Always Encrypted feature, Azure confidential computing ensures that high-sensitive data within an SQL database can be encrypted at all times without affecting the functionality of SQL queries.
Functioning as an enclave that acts as a safe place for data decryption and processing, Azure confidential computing assigns specific computations on sensitive data.
Applications of Confidential Computing
In addition to SQL Server, there exists a plethora of avenues for application of Azure confidential computing. They include industries such as finance, healthcare, AI, and beyond.
For instance, in a critical industry such as finance, data pertaining to personal portfolio and wealth management strategies would be secure within a TEE. Healthcare companies can find a platform in Azure confidential computing for sharing private patient data, and obtaining deeper insights from machine learning across multiple data sets without running the risk of data being leaked to other organizations.
In the oil and gas industry, and IoT sectors, extremely sensitive seismic data that holds key data pertaining to intellectual property of a corporation can be transferred to the cloud for processing, inclusive of the protections of encrypted-in-use technology.
Do send your feedback on this blog to firstname.lastname@example.org