Microsoft is putting hardware in charge of data protection in Azure to help customers feel confident about sharing data with authorized parties within the cloud environment. The company made a series of hardware security announcements at its Ignite 2022 conference this week to highlight Azure’s confidential computing offerings.
Konfidentsiaalne andmetöötlus involves creating a Trusted Execution Environment (TEE), essentially a black box to hold encrypted data. In a process called attestation, authorized parties can place code inside the box to decrypt and access the information without first having to move the data out of the protected space. The hardware-protected enclave creates a trustworthy environment in which data is tamper-proof, and the data isn’t accessible to even those with physical access to the server, a hypervisor, or even an application.
“It’s really kind of the ultimate in data protection,” Mark Russinovich, Microsoft Azure’s chief technology officer, said at Ignite.
On Board With AMD’s Epyc
Several of Microsoft’s new riistvara turvakihid kasutage Epyci – Azure’is juurutatud Advanced Micro Devices’i serveriprotsessori – sisalduvaid kiibi funktsioone.
One such feature is SEV-SNP, which encrypts AI data when in a CPU. Machine-learning applications move data continuously between a CPU, accelerators, memory, and storage. AMD’s SEV-SNP ensures andmeturve protsessori keskkonnas, lukustades samal ajal juurdepääsu sellele teabele, kui see läbib täitmistsükli.
AMD’s SEV-SNP feature closes a critical gap so data is secure at all layers while residing or moving in the hardware. Other chip makers have largely focused on encrypting data while in storage and in transit on communication networks, but AMD’s features secure data while being processed in the CPU.
See pakub mitmeid eeliseid ja ettevõtted saavad kombineerida patenteeritud andmeid kolmandate osapoolte andmekogumitega, mis asuvad Azure'i teistes turvalistes enklaavides. SEV-SNP funktsioonid kasutavad kinnitust tagamaks, et sissetulevad andmed on täpsel kujul alates a tuginev pool ja seda saab usaldada.
“This is enabling net new scenarios and confidential computing that was not possible before,” said Amar Gowda, principal product manager at Microsoft Azure, during an Ignite webcast.
Näiteks saavad pangad jagada konfidentsiaalseid andmeid, kartmata, et keegi neid varastab. SEV-SNP funktsioon toob krüptitud pangaandmed turvalisse kolmanda osapoole enklaavi, kus need võivad seguneda muudest allikatest pärit andmekogumitega.
“Because of this attestation and memory protection and integrity protection, you can rest assured that the data does not leave the boundaries in the wrong hands. The whole thing is about how do you enable new offerings on top of this platform,” Gowda said.
Riistvara turvalisus virtuaalmasinates
Microsoft lisas ka täiendava turvalisuse pilvepõhiste töökoormuste jaoks ning SEV-SNP abil genereeritud mitteeksporditavad krüpteerimisvõtmed sobivad loogiliselt enklaavide jaoks, kus andmed on mööduvad ja neid ei säilitata, ütles James Sanders, pilve, infrastruktuuri ja kvantide analüütik CCS Insight, ütleb vestluses Dark Readingiga.
“For Azure Virtual Desktop, SEV-SNP adds an additional layer of security for virtual-desktop use cases, including bring-your-own-device workplaces, remote work, and graphics-intensive applications,” Sanders says.
Some workloads haven’t moved to the cloud because of regulation and compliance limitations tied to data privacy and security. The hardware security layers will allow companies to migrate such workloads without compromising their security posture, Run Cai, a principal program manager at Microsoft, said during the conference.
Microsoft teatas ka, et konfidentsiaalse VM-iga Azure'i virtuaalne töölaud on avalikus eelvaates, mis suudab käitada Windows 11 atesteerimist konfidentsiaalsetes VM-ides.
“You can use secure remote access with Windows Hello and also secure access to Microsoft Office 365 applications within confidential VMs,” Cai said.
Microsoft has been dabbling with the use of AMD’s SEV-SNP in general-purpose VMs from earlier this year, which was a good start, CCS Insight’s Sanders says.
SEV-SNP kasutuselevõtt on ka AMD jaoks oluline valideerimine andmekeskuste ja pilve klientide seas, kuna varasemad jõupingutused konfidentsiaalse andmetöötluse osas põhinesid pigem osalistel turvalistel enklaavidel, mitte kogu hostsüsteemi kaitsmisel.
“This was not straightforward to configure, and Microsoft left it to partners to provide security solutions that leveraged in-silicon security features,” Sanders says.
Microsoft’s Russinovich said that Azure services to manage hardware and deployment of code for confidential computing are coming. Many of those managed services will be based on Confidential Consortium Framework, which is a Microsoft-developed open source environment for confidential computing.
“Managed service is in preview form … we’ve got customers that are kicking the tires on it,” Russinovich said.
