Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/14/2017
04:07 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft's Azure 'Confidential Computing' Encrypts Data in Use

Early Access program under way for new Azure cloud security feature.

Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.

The new collection of features and services, called Azure "confidential computing," is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.

Confidential computing lets users process data in the cloud, knowing it's under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.

Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.

"While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data," says Azure CTO Mark Russinovich in a blog post.

Data has to be "in the clear" for efficient processing. In confidential computing, it's stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.

Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.

Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.

Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which it's processed. Confidential computing also protects against third parties accessing data without the owner's consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.

The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.

VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.

The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they don't want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.

Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. "In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE," says Russinovich.

Healthcare organizations, for example, could securely share private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets.

Microsoft customers interested in confidential computing can refer to Microsoft's Early Access program, which includes access to Azure VSM, SGX-enabled virtual machines, tools, SDKs, and Windows and Linux support.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17478
PUBLISHED: 2020-08-10
ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.
CVE-2020-15648
PUBLISHED: 2020-08-10
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
CVE-2020-15649
PUBLISHED: 2020-08-10
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR...
CVE-2020-15650
PUBLISHED: 2020-08-10
Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Fir...
CVE-2020-15651
PUBLISHED: 2020-08-10
A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.