Microsoft is making it harder for cyber-attackers to steal data from its cloud customers and invade their privacy with a new suite of services and features called Azure Confidential Computing, the company announced on Sept. 14.
Four years in development, Azure Confidential Computing addresses a lingering weakness in data processing systems that hackers and malware coders can exploit to breach private data. Although organizations can use encryption that protects data at rest and in transit, along with a variety of other security tools and controls, those protections are stripped away when it comes time to process the data and run computational tasks on it.
It’s this data-in-use state that often affords hackers malware watch for to access an organization’s sensitive data. Azure Confidential Computing prevents this with an approach that essentially encrypts data while it’s in use, explained Mark Russinovich, CTO of Microsoft Azure, in a blog post.
“Confidential computing ensures that when data is ‘in the clear,’ which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE – also known as an enclave),” wrote Russinovich. “TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data.”
Azure Confidential Computing blocks operations triggered by code that is altered or tampered with, shutting down the entire TEE for good measure. It’s a safeguard that remains active as along as code is being executed in a TEE.
The technology prevents malware or attackers targeting application, operating system or hypervisor exploits from gaining access to data that is in use. It can also block malicious insiders with direct access to a system or who have administrative privileges.
At the outset, Microsoft will be supporting two types of TEE technologies. The first is the software-based Virtual Secure Mode found in the Hyper-V virtualization software components in Windows Server 2016 and Windows 10. The other is Intel’s Software Guard Extensions (SGX) technology built into the processors running on Azure cloud servers. Microsoft is working with additional software and hardware partners on enabling other types of TEEs, Russinovich said.
Microsoft also revealed that its Coco Framework, an open-source system that ensures confidentiality in enterprise blockchain systems, is being used to supplement the existing Always Encrypted feature in Azure SQL Database and SQL Server. The technology will provide similar encryption-in-use protections to the database products without affecting the normal operations of SQL queries.
Interested customers can join the Azure Confidential Computing early access program here. Microsoft also plans to demonstrate the technology at the upcoming Ignite conference in Orlando, Fla. (Sept. 25-29), which will “go on as planned” after hurricane Irma swept through the region, the company confirmed in a Sept. 13 tweet.