Published: Sat, September 16, 2017
Hi-Tech | By Ellis Neal

Microsoft Azure Cloud Security Encrypts In-Use Data

Microsoft Azure Cloud Security Encrypts In-Use Data

Put simply, confidential computing offers a protection that to date has been missing from public clouds, encryption of data while in use.

Managed Service Identity Preview The preview of Azure AD Managed Service Identity is designed as an aid for developers such that they won't have to manage security credentials when using code with various Microsoft Azure services. The feature will allow applications running on Azure to keep data encrypted not only when it's at rest (in storage) or in transit (over a network) but when it's being computed on in-memory. Even in case of an attack, and even if the hacker gains access to the main VM, the data inside the VSM TEE will still remain out of reach. Initially we support two TEEs, Virtual Secure Mode and Intel SGX. The processor itself will encrypt and decrypt data from memory, such that the data is only decrypted when it's within the processor itself.

Mark Russinovich, Chief Technology Officer of Microsoft Azure, stated the most data breaches occur when it is in use. Customers that want their trust model to not include Azure or Microsoft at all can leverage SGX TEEs. We're also offering hardware-based Intel SGX TEE with the first SGX-capable servers in the public cloud. Microsoft is working with other parties as well to develop other TEEs.

Intel and Microsoft will also probably take the new technology to the server computers that companies use in their own data centers, referred to as on-premise computing, Intel's Echevarria said. The technology will provide similar encryption-in-use protections to the database products without affecting the normal operations of SQL queries. It's an "enhancement of our Always Encrypted capability", Russinovich explained.

He also noted that US-based technology is no guarantee of 100 percent security, and said the Kaspersky ban "is, in reality, ultimately unsafe as it gives a false sense of confidence that USA national security interests are being protected from foreign threats, when in fact such bans do not really address the realities of United States dependencies on foreign supply chains".

Microsoft's announcement promised that the Azure AD Managed Service Identity is being groomed to be part of the free version of Azure AD subscriptions, so there'll be no cost for using it.

Russinovich said confidential computing has applicability in, for example, finance, where personal portfolio data and wealth management strategies would no longer be visible outside of a TEE.

To do this, Microsoft says it will be moving Azure code and data into a Trusted Execution Environment that authorizes code to make sure it has not been tampered with, and then processes it in a locked-down "enclave" environment secured from any outside access.

Microsoft has been very busy indeed at its Ignite conference in Atlanta, revealing new Azure partnerships with auto manufacturer Nissan and Adobe, which will move some of its own cloud services onto Microsoft's cloud infrastrucutre.

Like this: