we're excited to announce that Microsoft Azure is the first cloud to offer new data security capabilities with a collection of features and services called Azure confidential computing. Put simply, confidential computing offers a protection that to date has been missing from public clouds, encryption of data while in use. This means that data can be processed in the cloud with the assurance that it is always under customer control. The Azure team, along with Microsoft Research, Intel, Windows, and our Developer Tools group, have been working on confidential computing software and hardware technologies for over four years.
Confidential computing ensures that when data is "in the clear", which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE - also known as an enclave), an example of which is shown in the figure below. TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it.
Sign up for the Azure confidential computing Early Access program.
Microsoft Research papers related to confidential computing:
- Shielding applications from an untrusted cloud with Haven
- VC3: Trustworthy Data Analytics in the Cloud using SGX
- Oblivious Multi-Party Machine Learning on Trusted Processors
- A Design and Verification Methodology for Secure Isolated Regions
See how confidential computing fits within Microsoft's broader cloud security strategy in the Microsoft Story Labs feature: Securing the Cloud.