Azure Unblogged - Azure Confidential Computing

Published Sep 07 2021 11:59 PM 3,262 Views
Microsoft

In this episode of Azure Unblogged, Thomas Maurer speaks with Stefano Tempesta about Azure Confidential computing. Confidential computing is the protection of data in use by performing computation in a hardware-based Trusted Execution Environment (TEE). While cloud-native workloads data is typically protected when in transit through networking encryption (i.e. TLS, VPN), and at rest (i.e. encrypted storage), confidential computing enables data protection in memory while processing.

 

Azure confidential computing allows you to isolate your sensitive data while it's being processed in the cloud. Many industries use confidential computing to protect their data by using confidential computing to:

  • Secure financial data
  • Protect patient information
  • Run machine learning processes on sensitive information
  • Perform algorithms on encrypted data sets from multiple sources

We know that securing your cloud data is important. We hear your concerns. Here's just a few questions that our customers may have when moving sensitive workloads to the cloud:

  • How do I make sure Microsoft can't access data that isn't encrypted?
  • How do I prevent security threats from privileged admins inside my company?
  • What are more ways that I can prevent third-parties from accessing sensitive customer data?

Microsoft Azure helps you minimize your attack surface to gain stronger data protection. Azure already offers many tools to safeguard data at rest through models such as client-side encryption and server-side encryption. Additionally, Azure offers mechanisms to encrypt data in transit through secure protocols like TLS and HTTPS. Azure Confidential Computing introduces a third leg of data encryption - the encryption of data in use.

 

You can watch the video here or on Channel 9

 

 

Learn more:

3 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2731459%22%20slang%3D%22en-US%22%3EAzure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIn%20this%20episode%20of%20Azure%20Unblogged%2C%20Thomas%20Maurer%26nbsp%3Bspeaks%20with%20Stefano%20Tempesta%20about%20Azure%20Confidential%20computing.%20Confidential%20computing%20is%20the%20protection%20of%20data%20in%20use%20by%20performing%20computation%20in%20a%20hardware-based%20Trusted%20Execution%20Environment%20(TEE).%20While%20cloud-native%20workloads%20data%20is%20typically%20protected%20when%20in%20transit%20through%20networking%20encryption%20(i.e.%20TLS%2C%20VPN)%2C%20and%20at%20rest%20(i.e.%20encrypted%20storage)%2C%20confidential%20computing%20enables%20data%20protection%20in%20memory%20while%20processing.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20confidential%20computing%20allows%20you%20to%20isolate%20your%20sensitive%20data%20while%20it's%20being%20processed%20in%20the%20cloud.%20Many%20industries%20use%20confidential%20computing%20to%20protect%20their%20data%20by%20using%20confidential%20computing%20to%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESecure%20financial%20data%3C%2FLI%3E%0A%3CLI%3EProtect%20patient%20information%3C%2FLI%3E%0A%3CLI%3ERun%20machine%20learning%20processes%20on%20sensitive%20information%3C%2FLI%3E%0A%3CLI%3EPerform%20algorithms%20on%20encrypted%20data%20sets%20from%20multiple%20sources%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWe%20know%20that%20securing%20your%20cloud%20data%20is%20important.%20We%20hear%20your%20concerns.%20Here's%20just%20a%20few%20questions%20that%20our%20customers%20may%20have%20when%20moving%20sensitive%20workloads%20to%20the%20cloud%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EHow%20do%20I%20make%20sure%20Microsoft%20can't%20access%20data%20that%20isn't%20encrypted%3F%3C%2FLI%3E%0A%3CLI%3EHow%20do%20I%20prevent%20security%20threats%20from%20privileged%20admins%20inside%20my%20company%3F%3C%2FLI%3E%0A%3CLI%3EWhat%20are%20more%20ways%20that%20I%20can%20prevent%20third-parties%20from%20accessing%20sensitive%20customer%20data%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EMicrosoft%20Azure%20helps%20you%20minimize%20your%20attack%20surface%20to%20gain%20stronger%20data%20protection.%20Azure%20already%20offers%20many%20tools%20to%20safeguard%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity%2Ffundamentals%2Fencryption-atrest%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_self%22%20data-linktype%3D%22relative-path%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3Edata%20at%20rest%3C%2FSTRONG%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethrough%20models%20such%20as%20client-side%20encryption%20and%20server-side%20encryption.%20Additionally%2C%20Azure%20offers%20mechanisms%20to%20encrypt%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity%2Ffundamentals%2Fdata-encryption-best-practices%3FWT.mc_id%3Dmodinfra-36604-thmaure%23protect-data-in-transit%22%20target%3D%22_self%22%20data-linktype%3D%22relative-path%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3Edata%20in%20transit%3C%2FSTRONG%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethrough%20secure%20protocols%20like%20TLS%20and%20HTTPS.%20Azure%20Confidential%20Computing%20introduces%20a%20third%20leg%20of%20data%20encryption%20-%20the%20encryption%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Edata%20in%20use%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20watch%20the%20video%20here%20or%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FAzure-Unblogged-Azure-Confidential-Computing%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EChannel%209%3C%2FA%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FAzure-Unblogged-Azure-Confidential-Computing%2Fplayer%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20width%3D%22960%22%20height%3D%22540%22%20frameborder%3D%220%22%20allowfullscreen%3D%22allowfullscreen%22%20title%3D%22Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%20-%20Microsoft%20Channel%209%20Video%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELearn%20more%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fsolutions%2Fconfidential-compute%2F%3FWT.mc_id%3Dmodinfra-36604-thmaure%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Confidential%20Computing%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconfidential-computing%2F%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EACC%20docs%20and%20samples%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-confidential-computing%2Fbg-p%2FAzureConfidentialComputingBlog%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_blank%22%3EACC%20blog%26nbsp%3B%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2731459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Azure%20Unblogged%20-%20Azure%20Confidential%20Computing.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F308836i95C687AF25DE561C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Azure%20Unblogged%20-%20Azure%20Confidential%20Computing.jpg%22%20alt%3D%22Azure%20confidential%20computing%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20confidential%20computing%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20this%20episode%20of%20Azure%20Unblogged%2C%20Thomas%20Maurer%20speaks%20with%20Stefano%20Tempesta%20about%20Azure%20Confidential%20computing.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2731459%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThomas%20Maurer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2731591%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731591%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20information.%3C%2FP%3E%3CP%3EDo%20these%20hardware-based%20CPUs%20(used%20for%20confidential%20computing)%20add%20latency%20while%20processing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2731621%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731621%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20seriously%20cool%20and%20innovative%20stuff%20%3A)%3C%2Fimg%3E%20Thanks%20for%20sharing!!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20Azure%20Stacking!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2733798%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2733798%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20answer%20to%20the%20comment%20whether%20hardware-based%20encryption%20of%20trusted%20execution%20environments%20bring%20performance%20penalty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELet's%20take%20the%20case%20of%20Intel%20SGX%20enclaves%2C%20that%20provide%20hardware%20enforced%20confidentially%20and%20integrity%20guarantees%20for%20running%20computations.%20This%20is%20achieved%20mainly%20by%20encrypting%20all%20information%20as%20it%20leaves%20the%20CPU%2C%20effectively%20shielding%20data%20in%20the%20memory%20from%20external%20observers.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYes%2C%20there%20is%20an%20overhead%20of%20running%20computations%26nbsp%3Binside%20an%20enclave.%20You%20would%20expect%20some%20overhead%20due%20to%20the%20added%20encryption%20and%20decryption%20complexity.%20In%20addition%2C%20extra%20security%20measures%20such%20as%20integrity%20tests%20and%20memory%20usage%20limitations%20can%20also%20effect%20performance.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20performance%20overheads%20can%20result%20from%20two%20main%20aspects%3A%20first%20is%20the%20actual%20overhead%20of%20executing%20CPU%20instructions%20and%20accessing%20the%20encrypted%20memory%20in%20an%20enclave.%20The%20second%20is%20the%20overhead%20associated%20with%20entering%20and%20exiting%20an%20enclave.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt's%20hard%20to%20provide%20exact%20figures%20on%20performance%20impact.%20A%20lot%20depends%20on%20the%20data%20volume%20that%20is%20processed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EWhen%20running%20on%20large%20inputs%2C%20code%20running%20inside%20enclaves%20can%20typically%20achieve%20very%20high%20throughput%2C%20on%20par%20with%20code%20running%20outside%20enclaves.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFor%20small%20inputs%2C%20there%20may%20be%20some%20overhead%20of%20invoking%20enclave%20calls.%20This%20is%20because%20enclaves%20are%20only%20invoked%20via%20a%20special%20interface%20called%20ECALL.%20The%20ECALLs%20are%20known%20to%20have%20a%20performance%20impact%20due%20to%20the%20CPU%E2%80%99s%20context%20switches.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Sep 07 2021 11:59 PM
Updated by:
www.000webhost.com