AI + Machine Learning, Security, Thought leadership, Virtual Machines
Azure confidential computing with NVIDIA GPUs for trustworthy AI
By Mark Russinovich Chief Technology Officer and Technical Fellow, Microsoft Azure
4 min read
Many industries such as healthcare, finance, transport, and retail are going through a major AI-led disruption. The exponential growth of datasets has resulted in growing scrutiny of how data is exposed—both from a consumer data privacy and compliance perspective. For example, the use of AI in healthcare has grown rapidly, with hospitals and pharmaceutical companies using AI to improve diagnostics and improve drug discovery and development. In transport, the interaction between humans and vehicles is being re-imagined thanks to AI-powered autonomous driving. However, broader democratization of AI is limited by concerns regarding sharing and use of personal data.1 For example, banks are often unable to collaborate on tasks such as fraud and money laundering detection due to concerns regarding security and privacy of transaction data.
Professor Bryan Williams, Director of Research at University College of London Hospitals acknowledges this challenge; “UCLH and the NHS want to be at the forefront of using AI to transform healthcare. A major obstacle to testing AI algorithms with various partners has been concerned about ensuring the privacy of patient data. Technological solutions that enable the secure sharing of data while protecting patient privacy are a potential game-changer to accelerate the evaluation and adoption of AI in health care.”
In this context, confidential computing becomes an important tool to help organizations meet their privacy and security needs. Confidential computing protects data in use and allows the data to be processed only after the cloud environment is verified to be a trusted execution environment. In this way, confidential computing helps protect data from being accessed by cloud operators, malicious admins, and privileged software such as the hypervisor. It helps keep data protected throughout its lifecycle—in addition to existing solutions of protecting data at rest and in transit, data is now protected while in use.
Microsoft partners with NVIDIA to bring GPU-accelerated confidential computing to Azure
Today, we are excited to announce the next chapter in this journey as NVIDIA and Microsoft are combining the power of GPU-accelerated computing with confidential computing for state-of-the-art AI workloads. This collaboration is the first step towards a shared vision to empower individuals and organizations to share and collaborate to derive new insights from data using GPU-accelerated computing without sacrificing security or privacy. With support for Ampere Protected Memory (APM) in NVIDIA A100 Tensor Core GPUs and hardware-protected VMs, enterprises will be able to use sensitive datasets to train and deploy more accurate models with state-of-the-art performance and an added layer of security that their data remain protected.
APM encrypts data when it is transferred to or from the CPU to a GPU over the PCIe bus with keys that are securely exchanged between NVIDIA’s device driver and the GPU. The only place where data is decrypted is within a hardware-protected, isolated environment or enclave within the GPU where it can be processed to train AI models or deliver AI inference results. Much like other Azure confidential computing solutions, the APM feature in NVIDIA A100 GPUs supports cryptographic attestation based on a unique GPU identity provisioned by NVIDIA during manufacturing. Using remote attestation, organizations can independently verify the GPU’s security state and ensure that their data is only processed within the confidential enclave in the GPUs.
Private preview sign up for Azure confidential GPU VMs
Over the past year, we worked closely with NVIDIA to introduce NVIDIA A100 GPUs with APM into the Azure confidential computing ecosystem. Today we are excited to invite you to sign up for the private preview of Azure confidential GPU VMs. In the private preview, Azure confidential computing powered by NVIDIA GPU VMs will bring together the security of trusted VMs with secure boot and vTPM coupled with up to four NVIDIA A100 Tensor Core GPUs. Here, you can set up a secure environment in the Azure cloud and run your machine learning workloads utilizing your favorite machine learning frameworks, with an added layer of security that your VM boots and runs within a trusted environment. As a result, you know that the confidentiality of your data remains encrypted while you leverage the performance of the GPU for your workloads.
Confidential computing across industries
We are already partnering with several organizations to accelerate their journey towards confidential computing with NVIDIA GPUs.
Bosch sees confidential computing as a key instrument to help protect data and meet compliance requirements. Dr. Sven Trieflinger, Senior Research Project Manager at Bosch, mentions, “With ever-decreasing cost and performance overheads, confidential computing techniques will be widely adopted in cloud workloads. The new level of security they offer will be instrumental in addressing challenges in the areas of legal compliance, IP protection, and customer trust”.
The impact of confidential computing extends to financial services too, where the Royal Bank of Canada (RBC) is already leveraging Azure confidential computing solutions to innovate. Eddy Ortiz, VP of Solution Acceleration and Innovation at RBC, says, “The confidential computing capabilities available in Azure have enabled us to unlock new business capabilities and materially advance existing product offerings by leveraging data in ways that only a few years ago was impossible. We’ve been able to craft novel applications which satisfy and exceed the Bank’s most stringent cybersecurity demands. Through these technological advancements we are well-positioned to continue to offer unique and highly personalized experiences to our clients.”
At Microsoft, we remain committed to the vision of a confidential cloud, where organizations can share data and derive insights with strong technical data protection and an added layer of security. Along with NVIDIA, we will continue to innovate and advance AI trustworthiness through confidential computing.
- Sign up for the private preview of Azure confidential GPU VMs.
- Learn more about Azure confidential computing.
1How to make AI trustworthy