Developing and deploying code or creating and running applications on the modern cloud have some serious advantages over the competition but in the exchange of security concerns or risk that involved. Prominent players of every industry, whether it be entertainment, manufacturing, or service provider, consider cloud as the technology for the future. In the meanwhile, many of them have started their multi-year cloud migration to become future proof like the NBA recently, NFL using AWS services, LinkedIn and the list goes on. These companies moving their all critical workloads and data to the cloud, as the security benefits that public cloud offers becomes the main attraction point for them.
In 2017, International Data Corporation (IDC) released a report called Cloudview study, in which they found out that improving security is one of the top drivers for the companies to move to the cloud; though security is still a major as well as a common concern for companies while moving extremely critical IP and data to the cloud. Not surprisingly, it also got proven with the latest version of Treacherous 12 Threats to Cloud Computing report by Cloud Security Alliance (CSA). In this report, they ranked data breaches among the top cloud threats; they also include three additional data security concerns, especially breaches that happened due to system vulnerabilities, malicious insiders, and shared technology vulnerabilities.
Azure’s Confidential Computing as the name suggests protecting data while it’s processing in the cloud. Well, it is the cornerstone on which Confidential Computing is based upon.
Confidential Computing Principles:
Microsoft sets four basic principles while working on Confidential Computing:-
- Mitigate all the threats of data breaches.
- The customer fully controls the data, regardless of whether it is during rest, transit, or use, and even if the infrastructure is not.
- Codes that are running over cloud should be protected and verifiable by the user.
- Data and code should be enigmatic to the cloud platform or put another way the cloud platform is outside of the trusted computing base.
Though today this technology can be applied only to a subset of data processing scenarios, however as it matures, we can expect that it might be the new norm for all the data processing, both in the cloud and on edge.
What Azure Confidential Computing lacks?
Delivering on this vision needs is to innovate across hardware, software, and services that are capable of supporting confidential computing:
- Hardware: Over the past few years, Microsoft has been working closely with silicon partners to integrate the features that can make applications isolate during computation and made them accessible in multiple operating systems. Window’s manufacturer is also benefitting from their close ties with Intel, which are providing their secure enclave to Azure users.
- Compute: Microsoft also opens the gate of its compute platform for the deployment and the management of compute instances that are enabled with TEEs.
- Development: Microsoft is working with its partners to drive API for Windows and Linus that remains consistent across TEEs, both hardware, and software-based, that makes the confidential application code portable. Moreover, they are working on tooling and debugging support for the development and testing of confidential applications.
- Attestation: It is important to verify the identity of code running in TEEs to create trust with that code to decide if secrets should be released to it. Microsoft is partnering with the silicon vendors for design and host attestation services that will make verification simple and highly available.
- Services/Use cases: Virtual machines provides the building blocks to enable new business scenarios and use cases. Meanwhile, Microsoft is continuously trying to develop services and products that can leverage confidential computing, including:
- Protecting data confidentiality and integrity via SQL Server Always Encrypted.
- Designing a trusted distributed network for a set of untrusted participants with Microsoft’s Confidential Consortium Blockchain Framework for a highly scalable and confidential network.
- Privately combining multiple data sources for the support of secure multi-party machine learning scenarios.
- Research: Microsoft Research is working closely with the Azure team and silicon partners to define and avoid TEE vulnerabilities. For instance, They are actively working and trying to find advanced techniques to solidify TEE application and to prevent information leaks outside the TEE, both direct and indirect. Moreover, they are trying to bring this to market in the form of tooling and runtimes for the use in developing confidential code.