Microsoft has been spending over one billion dollars per year on cybersecurity to make Azure the most trusted cloud platform. Taking a step further in Azure’s data security abilities, Microsoft has now introduced Azure confidential computing, a collection of services and features that offers a protection missing from public clouds – encryption of data while being used.
Azure confidential computing will allow applications running on Azure to keep data encrypted not only when it’s at rest or in transit, but also when it’s being computed on in-memory. It will keep data secure even from Microsoft’s administrators, hackers, and government warrants.
The data is protected inside a Trusted Execution Environment (TEE), also called enclave. None of the data or operations inside can be viewed from outside even through a debugger. Only authorized code is allowed to access the data. The operations are denied and environment is disabled, if the code is altered or tampered.
The developers be able to use different TEEs without having to change their codes. Initially the Confidential Computing supports two TEEs- Virtual Secure Mode (VSM) and Intel SGX. VSM, a software-based TEE, is implemented by Hyper-V in Windows 10 and Windows Server 2016.
“While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts or by leveraging compromised keys to access encrypted data,” wrote Mark Russinovich, Azure CTO.
The Azure team was working on this cloud solution, leveraging the Intel SGX technology, along with Microsoft Research, Intel, Windows, and with its Developer Tools group, for over four years.
Microsoft will also be extending its in-house enterprise blockchain tools to provide additional security for SQL Server and SQL Database instances in Azure.
Azure is providing its confidential computing running in Microsoft Data centers in over 40 regions. It is now available in private preview as part of a special early access program.