Cloud

9/14/2017
04:07 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft's Azure 'Confidential Computing' Encrypts Data in Use

Early Access program under way for new Azure cloud security feature.

Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.

The new collection of features and services, called Azure "confidential computing," is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.

Confidential computing lets users process data in the cloud, knowing it's under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.

Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.

"While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data," says Azure CTO Mark Russinovich in a blog post.

Data has to be "in the clear" for efficient processing. In confidential computing, it's stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.

Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.

Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.

Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which it's processed. Confidential computing also protects against third parties accessing data without the owner's consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.

The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.

VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.

The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they don't want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.

Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. "In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE," says Russinovich.

Healthcare organizations, for example, could securely share private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets.

Microsoft customers interested in confidential computing can refer to Microsoft's Early Access program, which includes access to Azure VSM, SGX-enabled virtual machines, tools, SDKs, and Windows and Linux support.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.