Azure confidential computing – part 1

Hi All,

Greetings for the day!!!

Today new learnings so sharing ! SHARING IS CARING 🙂

Background / Details

• For one of our project we need to develop the Azure confidential virtual machine – we are doing POC for storing some very business critical data (highly confidential data)
• So started exploring Azure confidential computing and sharing details
• In this article we will touch base about Confidential Computing and Azure Confidential Computing concepts and will explore details in further upcoming articles
• In next upcoming articles we will discuss – creating Azure confidential virtual machines

In this article we will discuss about Confidential Computing and Azure Confidential Computing

Take away from this article

• Understand the concept of Confidential Computing
• Understand Azure Confidential Computing
• Azure Confidential Computing offerings
• Azure Confidential Computing resources

What is Confidential Computing

• Confidential computing is an industry term defined by the Confidential Computing Consortium (CCC)
• CCC – a foundation dedicated to defining and accelerating the adoption of confidential computing
• The CCC defines confidential computing as: The protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE).
• A TEE is an environment that enforces execution of only authorized code.
• Any data in the TEE can’t be read or tampered with by any code outside that environment.
• The confidential computing threat model aims at removing or reducing the ability for a cloud provider operator and other actors in the tenant’s domain to access code and data while being executed.
• When used with data encryption at rest and in transit, confidential computing protects sensitive or highly regulated data sets and application workloads in a secure public cloud platform.
• TEEs are also being used to protect proprietary business logic, analytics functions, machine learning algorithms, or entire applications

Azure confidential computing

Azure provides following suite of offerings for for running our applications confidentially

• Microsoft Azure Attestation
  • a remote attestation service for validating the trustworthiness of multiple Trusted Execution Environments (TEEs)
  • a remote attestation service for verifying integrity of the binaries running inside the TEEs.
  • Details : https://learn.microsoft.com/en-us/azure/attestation/overview
• Azure Key Vault Managed HSM
  • A fully managed, highly available, single-tenant, standards-compliant cloud service
  • This service enables to store cryptographic keys for our applications using FIPS 140-2 Level 3 validated Hardware Security Modules (HSM)
  • Details : https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/
• Trusted Launch
  • Provides hardening security features (secure boot, boot integrity monitoring) for all generation 2 VMs
  • Protect against boot kits, rootkits and kernel-level malware
  • Details : https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch
• Azure Confidential Ledger
  • a tamper-proof register for storing sensitive data for record keeping and auditing or for data transparency in multi-party scenarios
  • Details : https://learn.microsoft.com/en-us/azure/confidential-ledger/overview
• Azure IoT Edge
  • supports confidential applications that run within secure enclaves on an Internet of Things (IoT) device
  • Details : https://learn.microsoft.com/en-us/azure/iot-edge/deploy-confidential-applications?view=iotedge-1.4
• Always Encrypted with secure enclaves in Azure SQL.
  • The confidentiality of sensitive data is protected from malware and high-privileged unauthorized users by running SQL queries directly inside a TEE
  • Details : https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16

Also following computing resources

• VMs with Intel SGX application enclaves.
  • Azure offers the DCsv2, DCsv3, and DCdsv3 series built on Intel SGX technology for hardware-based enclave creation.
  • Details : https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-computing-enclaves
• App-enclave aware containers
  • running on Azure Kubernetes Service (AKS). Confidential computing nodes on AKS use Intel SGX to create isolated enclave environments in the nodes between each container application.
  • Details : https://learn.microsoft.com/en-us/azure/confidential-computing/enclave-aware-containers
• Confidential VMs based on AMD SEV-SNP technology
  • Enables lift-and-shift of existing workloads and protect data from the cloud operator with VM-level confidentiality
• Confidential Inference ONNX Runtime,

References

• Microsoft Azure Attestation – https://learn.microsoft.com/en-us/azure/attestation/overview
• Azure Key Vault Managed HSM documentation – https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/
• Trusted launch for Azure virtual machines – https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch
• Microsoft Azure confidential ledger – https://learn.microsoft.com/en-us/azure/confidential-ledger/overview
• Confidential computing at the edge – https://learn.microsoft.com/en-us/azure/iot-edge/deploy-confidential-applications?view=iotedge-1.4
• Always Encrypted with secure enclaves – https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16
• SGX enclaves – https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-computing-enclaves
• Enclave Aware Containers with Intel SGX – https://learn.microsoft.com/en-us/azure/confidential-computing/enclave-aware-containers

In next article we will discuss Confidential Virtual Machines

Thanks for reading !! If its worth at least reading once, kindly please like and share !!! SHARING IS CARING 🙂

Enjoy the beautiful life !! Have a FUN !! HAVE A SAFE LIFE !! TAKE CARE 🙂