Data protection is needed in three places—in transit, in rest, and in use. It’s relatively easy to protect data in transit and at rest through use of encryption, but protecting data while it’s being used hasn’t had a good solution. When data was used only within a company’s own data centers, this vulnerability was small. Now that data is largely used within a cloud, the vulnerability of data in use has increased.
That’s because the resources where the applications and data reside in the cloud don’t belong only to the business; they’re shared with potentially many other users. That creates the potential for breaches that allow data in use to be accessed either through errors or deliberate hacks. Confidential computing in Azure helps ensure that data is protected against that misuse while it is actively being processed.
Confidential Computing Creates Trusted Execution Environments
Confidential computing is built around the idea of creating a trusted execution environment (TEE), also called an enclave, that protects the CPU as well as memory. The TEE ensures that only authorized code can execute, and no data within the TEE can be accessed from outside the environment. Because data has to be unencrypted for processing, using a TEE protects that data from exposure. If there’s any attempt at access by untrusted code, the system is disabled.
Confidential Computing in Azure
There are two different types of TEEs available in Azure. One of them, Virtual Secure Mode, is built on Microsoft Hyper-V. Modifications enforce code isolation and prevent the introduction of code from external sources, even by administrators. The second uses Intel Software Guard Extensions (SGX) to create hardware-based protection. The size of the virtual machine determines how much memory is available for the encrypted pages.
In addition to the TEEs, other Azure services contribute to the security of the environment. Trusted launch signs low-level functions, including bootloaders, OS kernels, and drivers, to ensure the boot chain is secure. Virtual Trusted Platform Module allows keys and certificates to be handled securely, as well. The entire configuration’s security can be verified with Azure Attestation.
Although the environment is different, workloads can be made confidential without any code changes. The applications can simply lift-and-shift into the secure environment and run in confidential containers. It’s possible to encrypt a disk image in the company data center and upload the encrypted image to Azure, ensuring the workload is protected even before it’s deployed.
VAST IT Services offers Microsoft Azure support, helping clients build secure, efficient, and cost-effective cloud environments. Contact us to learn more about why confidential computing in Azure makes even sensitive data safe in the cloud.
