Microsoft recently started trials for a security upgrade for Azure known as confidential computing. The idea is...
to encrypt data not just at rest and in transit, but also while it is being processed. This means that the data is protected even from Microsoft staff that has access to the underlying hardware where the data is stored and processed.
This new protection mechanism is designed for data that needs an extra layer of security assurance, such as medical or financial data, and is aimed at organizations that have previously been hesitant to store and process their most sensitive data in the cloud.
In order to achieve this extra layer of encryption, the data is processed inside a trusted execution environment (TEE), also known as a secure enclave. This creates an encrypted area within the hardware that processes the data and is inaccessible to anyone who has access to that hardware.
Initially, Azure supports two types of TEE, a software-based enclave known as Virtual Secure Mode that is used by Hyper-V in Windows 10 and Server 2016, and Intel SGX, which can be used as a hardware-based solution that completely protects data, even from employees of Microsoft.
Many cyberattacks target data that is in use because it is the most viable method of gaining access to data that is encrypted at rest and in transit. Once the network perimeter is breached, hackers target privileged accounts because they generally have access to all the data in the network. They may also gain privileged access to the server that is processing the data by leveraging a vulnerability in the operating system or hypervisor. In either case, by executing the processing of the data inside the secure enclaves, even hackers who have compromised privileged accounts will be unable to read and extract the sensitive data.
The downside to Azure confidential computing
While this new layer of protection and anything that promotes further use of encryption is welcome, secure enclaves are complicated and come with the risk of vulnerabilities that could be exploited to gain access to the data.
This extra layer of security makes it more difficult to access the data, but an attack known as Dark-ROP has already proven that secure enclaves can be defeated if errors in the implementation are discovered. However, it is still far more difficult to attack a secure enclave than if the data was being processed unencrypted. So, while attacks are possible, adding a defense-in-depth layer can delay the hacker and makes it less likely that the data will be compromised.
Overall, Azure's implementation of secure enclaves is a big step forward in cloud security, but it is still early days for this type of technology. Those organizations that do not trust their secure data being stored in the cloud may still be unwilling to change. However, that data is still stored somewhere on that company's network and, in the vast majority of cases, a data breach that affects the company directly is far more likely than one that directly affects Microsoft Azure.