If you missed the breakout session on “Azure confidential computing and Intel: technology for the AI era” at Ignite, you’re not out of luck. We’ve got you covered for the announcement of new Confidential VM instances on Azure, powered by Intel® Trust Domain Extensions (Intel® TDX), along with other news on the Confidential Computing collaboration between Microsoft and Intel. It’s all in this on-demand video presented by Anil Rao, Intel’s VP and GM of Security and Systems Architecture, and Vikas Bhatia, the Head of Product, Azure confidential computing at Microsoft.
Welcome to the era of data potential
Public cloud resources provide a cost-effective, infinitely scalable alternative to traditional on-prem infrastructure for many applications. One of the most exciting areas for innovation is data collaboration among multiple parties for shared analysis and solution development. With the advent of AI, such large quantities of data became essential for the creation of new models, improved analysis, and more effective solutions.
But data is often private or sensitive, and access is often governed by regulations, so getting the full potential out of that data can be a challenge. Over time, new technologies have emerged to protect data and ease these privacy, security, and compliance concerns; but there was always a gap. Up until now, storage and disk encryption matured to protect data at rest, and network encryption helps protect data in transit. But those techniques don’t help when data is actively in use in the processor and memory. Away from storage and off the network, there has still been potential for vulnerability.
In this phase of its lifecycle, data in use can be a high-value target for sophisticated hackers or nation-state actors, as well as malicious insiders. Although a service innovation may create new value and convenience for users, the risk of activating the data beyond a locked-down storehouse is often too great a risk for the project to proceed, leading to data silos and unrealized potential.
This is the gap in the data protection continuum that Azure confidential computing has been designed to address, helping protect data from end to end.
What is confidential computing?
Confidential computing delivers three essential functions.
1. ISOLATION:
Confidential computing uses silicon-based technology to create a hardware-enforced Trusted Execution Environment (TEE). That’s the only place where sensitive data is decrypted, and only software inside the TEE’s trust boundary can access that data. This creates a technological separation from all the software and admins outside the trust boundary, essentially cutting the protected material off from any outside influence. It’s even isolated from the cloud provider’s own management stack, hypervisor, and infrastructure admins.
2. ENCRYPTION & CONTROL:
With Confidential Computing, only authorized data owners hold the keys to their data. This way, when it’s outside the TEE, the data is encrypted, and inside the TEE, only authorized software or parties can view it. No one—not the cloud provider, other cloud tenants, or anyone—using the data can access your data in plaintext.
3. VERIFICATION:
How can you know your TEE is genuine and functioning properly? Confidential computing technology includes cryptographic verification that the TEE is genuine, updated within policy, and, depending on the technology, can verify the software running in the TEE is exactly what’s expected. This process is generally called “Attestation.”
Intel® SGX and Intel® TDX: Building the foundation of TEE
To create the TEEs that support confidential computing, Intel offers the most extensive confidential computing portfolio to meet the diverse needs of modern organizations. Intel pioneered Confidential Computing for the data center by introducing application isolation with Intel® Software Guard Extensions (Intel® SGX), hardware-based memory encryption that isolates specific application code and data in memory.
But Intel SGX was just the beginning. In 2023, Intel introduced Intel® Trust Domain Extensions (Intel® TDX, the VM isolation technology now also available on Azure.
Find out more about Intel TDX and confidential VMs.
These products and services are backed by Intel’s unmatched ecosystem and solution provider enabling, as well as its “security first” development practices and best-in-class lifecycle security support. Intel is committed to keeping customers protected long after their initial purchase of an Intel-based platform. Let’s talk about how Intel® Trust Authority adds another layer to that protection.
Reliable Attestation: the power of Intel® Trust Authority
Attestation helps you know for sure that the cloud instance into which you are about to deploy your sensitive data is actually what you expect it to be. Intel® Trust Authority provides a SaaS-based independent source for attestation services on the public or private cloud, on-prem, and edge. It gives you cryptographic confirmation of the state of a confidential computing environment that is independent of the cloud provider and can be requested at any time by any stakeholder and confirms that:
- The TEE is established on a genuine, security-enabled Intel processor
- The processor’s microcode patch is updated within your policy
- The TEE was launched using authenticated firmware
- The software in the TEE matches developer’s certified manifest and customer policy
In other words, Intel Trust Authority confirms that the hardware foundation of your security is trustworthy.
Deeper levels of confidence with Intel TDX
Even if you missed the presentation at Ignite you can still take advantage of the new Intel TDX confidential VM security features that are now in preview, such as ephemeral VMs and OS disk integrity.
Ephemeral VMs provide an added level of security when a confidential VM is stopped and restarted. In that case, the cloud virtual machine (CVM) images could retain configurations, data, and secrets from the previous boot, allowing visibility to potentially confidential information. Intel TDX includes an ephemeral virtual trusted platform module (vTPM) that allows no secrets, such as keys, configurations etc., to persist in the vTPM.
The OS disk integrity tool is an Azure command line interface (CLI) extension that enables users to prepare, measure and attest that the operating system (OS) disk is launched as expected. With it, users can cryptographically attest that OS disk's root or system partition contents are secure and as expected before processing any confidential workloads. You can sign up for the preview of the OS disk integrity tool now.
See the power of Azure and Intel in action
Check out the case studies on Azure confidential computing and Intel® technology.
Fireblocks is using Azure confidential computing with Intel® SGX and Intel® TDX technologies to drive the future of asset tokenization.
Read the case study…
Decentriq is helping retailers using confidential computing in specialized data clean rooms to improve customer targeting and messaging with first-party data even as cookies are becoming a thing of the past.
Read the white paper…
We have many more examples of enterprises in Financial Services, Healthcare, Government, Retail, and more, all protecting real-world production workloads with Intel-based Confidential Computing technologies. Find more information and resources to stay up-to-speed on the latest confidential computing innovations from Azure and Intel:
- Azure confidential computing resource page
- Intel confidential computing resource page
- Intel TDX CVM blog post
- The Azure confidential computing framework blog
Notices and Disclaimers
Performance varies by use, configuration, and other factors. Learn more on the Performance Index site.
Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available updates. See backup for configuration details. No product or component can be absolutely secure.
Your costs and results may vary.
Intel technologies may require enabled hardware, software, or service activation.
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.