Security
Determine security ramifications to protect personal data and information
106 Discussions

Microsoft Azure enables confidential computing with Intel® SGX

Rebecca_Weekly
Employee
‎11-12-2020 01:54 PM
0 0 1,061

This blog was updated on 11/17/20.


Protecting data and code that’s in use inside a processor’s memory is the new frontier for comprehensive data security in the cloud. Intel and Microsoft are both premier members of the Confidential Computing Consortium, which aims to accelerate the adoption of Trusted Execution Environment (TEE) technologies and standards. Intel Software Guard Extensions (Intel SGX) is a hardware-based TEE that allows developers to create security-enabled enclaves—small, trusted environments within a CPU that can execute code in a way that is not accessible by an operating system.




Figure showing data in use unprotected Figure 1. Data has traditionally been protected in transit and at rest, but unprotected when in use in the processor.

Working closely with Intel, Microsoft launched confidential computing in August 2017, and Azure became the first major cloud provider to announce general availability of confidential computing based on Intel SGX, in April 2020. The new Microsoft Azure DCsv2-series virtual machine (VM) runs on Intel® Xeon® E processors and helps protect the confidentiality and integrity of customer data while it is in use.




“Customers are concerned about security protections whether they be from malicious users on the inside or hackers on the outside. Any point where the data is not protected is an opportunity for those attacks to occur. This is why it’s so important to make sure that the data is protected not just at rest and in flight but even when it’s running inside the processor.”
Corey Sanders, Corporate VP, Azure Compute at Microsoft



Figure showing how Intel SGX using hardware and software to protect data Figure 2. Intel SGX protects information in the hardware when it is not running in the application’s enclave.

Microsoft Azure confidential computing uses Intel SGX to protect data during that critical moment of processing when the data is not encrypted. This helps improve security to support use cases such as the following:




  • Federated (machine) learning. Federated learning is a distributed approach to machine learning (ML) that enables multiple organizations to collaborate on ML projects. Confidential computing with Intel SGX is ideal for federated learning solutions because the enclaves are remotely attestable, meaning that one party can cryptographically verify that an enclave on another party’s computer is running trusted, unmodified code.

  • Confidential containers and VMs. In multitenant cloud environments such as Microsoft Azure, customers worry that containers and VMs might be open to attack. Support for trusted execution through Intel SGX provides stronger assurance that container and VM processes are protected from outside attacks.

  • Confidential databases. Confidential computing with Intel SGX can be used to increase the protection of databases on Microsoft Azure through isolation of sensitive data or isolation of cryptographic keys.

  • Blockchain. Intel SGX helps Microsoft Azure increase customer privacy and security for blockchain transaction processing, smart contracts, and key storage.


Surveys show that the top cloud security concern of cybersecurity professionals is data loss and leakage. Microsoft Azure sees the higher level of security and privacy provided by confidential computing built on Intel SGX as a major opportunity to ease customer concerns about protecting the confidentiality of data in the cloud.


Learn more


“Today’s top clouds are powered by Intel” white paper


Azure with Intel webpage

0 Kudos
About the Author
Rebecca Weekly Hyperscale Strategy and Execution, Intel Corporation Vice President, General Manager, and Senior Principal Engineer Rebecca leads the organization that influences every aspect of Intel’s cloud platform solutions. Together they shape Intel’s development, production, and business strategy for Hyperscale Cloud Service Providers by driving strategic collaborations with key partners to ensure platform requirements meet customer needs. Rebecca is the Open Compute Project president and chair of the board and is on Fortune’s 40 Under 40 2020 list of most influential people in technology. In her "spare" time, she is the lead singer of the funk and soul band, Sinister Dexter, and enjoys her passion of dance and choreography. She has two amazing little boys, and loves to run (after them, and on her own). Rebecca graduated from MIT with a degree in Computer Science and Electrical Engineering.

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.