Data is the fuel that drives business, which is why it’s also a primary target. Protecting data has always been a challenge, but cloud computing, containers, SaaS (software-as-a-service) applications, mobile devices, and IoT (internet of things) devices expand the attack surface and make it exponentially more difficult to monitor and protect data across such a dynamic technology landscape. Microsoft, building upon on Intel’s trusted foundation, is raising the bar around privacy and confidentiality in the cloud with the general availability of Microsoft Azure DCsv2-Series.
Azure Confidential Computing
There is a virtually constant stream of sensitive data being created, transmitted, and stored on the internet. It’s crucial for things like online payments and financial data, personally identifiable information (PII), health and medical data, location data, and other confidential information to be protected from unauthorized access or exposure. Azure confidential computing enables customers to protect and secure cloud data with DCsv2-series virtual machines (VMs) built on Intel SGX (Intel Software Guard Extensions) technology.
We’ve long had tools and systems in place to encrypt and protect data at rest, and while it is being transmitted from Point A to Point B, but Azure confidential computing goes even farther and protects the confidentiality of data while it is in use, being actively processed in memory. Microsoft Azure is the first public cloud platform to offer full virtualization infrastructure services using hardware-based trusted execution environments (TEEs) built on Intel SGX technology.
Intel SGX (Software Guard Extensions)
Intel SGX is the most researched, tested, and deployed application isolation technology in the market today. It allows developers to partition applications into private regions of memory called enclaves, which are designed to be protected from higher level processes including the host operating system or hypervisor. Using Intel SGX, DCsv2-series virtual machines can encrypt data while it is being processed in memory and isolate the data from other applications or tenants on the server. It also prevents the cloud service provider, rogue administrators, or even malicious code that gains root privileges from accessing the data.
This technology is great for protecting existing cloud workloads, but it also opens the door for new usage models. At Intel Security Day in March, Scott Woodgate, Microsoft Sr. Director of Azure Security and Management Marketing discussed a real-world example of multi-party machine learning made possible by Intel SGX. Woodgate shared, “We’ve seen multiple banks around the world implement multi-party machine learning to find specific patterns of fraud and help the bottom line of these banks. To do this, banks perform machine learning to find patterns on shared datasets in Azure using Intel SGX enabled protected enclaves without ever exposing an individual bank’s dataset to other parties including banks or even an administrator on the virtual machines.”
Raising the Bar for Data Integrity and Confidentiality
Intel SGX hardware protects data and ensures that it is encrypted even during processing. A TEE built on Intel SGX prevents even the operating system or hypervisor itself from accessing data, and even system admins or others with physical access to the server cannot view or access it either.
“Customers are demanding the capability to reduce the attack surface and help protect sensitive data in the cloud by encrypting data in use,” explained Anil Rao, VP Data Center Security and Systems Architecture for Intel in a Microsoft blog post announcing the DCsv2-series VMs and Azure confidential computing. “Our collaboration with Microsoft brings enterprise-ready confidential computing solutions to market and enables customers to take greater advantage of the benefits of cloud and multi-party compute paradigms using Intel SGX technology.”
