Data is at its greatest risk of being compromised when it is being used, when moving from a secure database around the servers or apps in memory. So, Microsoft is launching a new technology for Windows Server and Azure that protects the data while it’s being processed.
Microsoft claims the service, called Azure confidential computing, makes it the first public cloud provider to offer encryption of data while in use. Encrypting data while it is being manipulated is pretty CPU-intensive, and there is no word on the performance impact of this service.
“Despite advanced cybersecurity controls and mitigations, some customers are reluctant to move their most sensitive data to the cloud for fear of attacks against their data when it is in use,” Mark Russinovich, Microsoft Azure CTO, wrote in a company blog post. “With confidential computing, they can move the data to Azure knowing that it is safe not only at rest, but also in use from [various] threats.”
Azure confidential computing uses a trusted execution environment (TEE) to ensure there is no way to view data from the outside, such as via a bug in the OS or a hacker who has gained admin privileges. That means data can be processed in the cloud with the assurance that it is always under customer control, Russinovich said.
Protecting data in a trusted execution environment
Azure confidential computing protects data that’s stored in a TEE, also known as an “enclave.” The data is accessible only from authorized code, and if the code is altered or tampered with, operations are denied and the environment is disabled, Russinovich wrote.
“We see broad application of Azure confidential computing across many industries, including finance, healthcare, AI and beyond,” he wrote. “In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE. Healthcare organizations can collaborate by sharing their private patient data, like genomic sequences, to gain deeper insights from machine learning across multiple data sets without risk of data being leaked to other organizations.”
This is the same technology used in the Coco Framework for enterprise blockchain, which Microsoft introduced last month. Microsoft already uses enclaves to protect blockchain financial operations, data stored in SQL Server and its own infrastructure within Azure, Russinovich noted.
Initial support is available both in software and hardware. The software implementation is on Windows 10 and Windows Server 2016, through a TEE implemented in Hyper-V.