Azure confidential computingPreview
Protect and secure your cloud data while it's in use
- Safeguard data from malicious and insider threats while it's in use
- Maintain control of data through its lifetime
- Protect and validate the integrity of code in the cloud
- Ensure that data and code is opaque to the cloud platform provider
Take data security to the next level with confidential computing
Azure confidential computing protects the confidentiality and integrity of your data and code while it's processed in the public cloud. Cloud security is the cornerstone of our confidential cloud vision, which aims to remove Microsoft from the trusted computing base (TCB) of Azure.
What is confidential computing?
Security is a key driver accelerating the adoption of cloud computing, but it's also a major concern when you're moving extremely sensitive IP and data scenarios to the cloud.
There are ways to secure data at rest and in transit, but you need to protect your data from threats as it's being processed. Now you can. Confidential computing adds new data security capabilities using trusted execution environments (TEEs) or encryption mechanisms to protect your data while in use. TEEs are hardware or software implementations that safeguard data being processed from access outside the TEE. The hardware provides a protected container by securing a portion of the processor and memory. Only authorised code is permitted to run and to access data, so code and data are protected against viewing and modification from outside of TEE.
Core components of confidential computing
Innovation across hardware, software and services is making Azure confidential computing a reality.
Hardware and compute:
Deploy and manage compute instances that are enabled with TEEs.
Get access to hardware-based features and functionality in the cloud before it is broadly available on-premises to build and run SGX-powered apps. The DC-series of virtual machines (VMs) enables the latest generation of Intel Xeon Processors with Intel SGX technology to the Azure cloud. Use these new VMs to build apps that protect data and code in use.
Develop against a standard enclaving abstraction.
Take advantage of enclave creation and management, system primitives, runtime support and cryptographic library support. The Open Enclave SDK project provides a consistent API surface around an enclaving abstraction, supporting portability across enclave types and flexibility in architecture. Build portable C/C++ apps against different enclave types.
Verify the identity of TEEs and the code running inside them.
Validate code identity to determine whether to release secrets. Verification is simple and highly available with attestation services.
Gain insights from Microsoft research to harden your enclave code.
Explore research on new apps for confidential computing, techniques to harden TEE apps and tips to prevent information leaks outside the TEE.
Read more on Azure confidential computing.
App patterns of confidential computing
Protect data confidentiality and integrity
Protect data in use from malicious insiders with administrative privilege or direct access. Safeguard against hackers and malware that exploit bugs in the operating system, app or hypervisor. Protect against third-party access without consent.
Example: SQL Server Always Encrypted technology
With the use of confidential computing, SQL Always Encrypted protects sensitive data in use while preserving rich queries and providing in-place encryption.
Create a trusted network
Build trust in the infrastructure and app of a network with untrusted participants.
With the use of confidential computing, the Confidential Consortium Framework (CCF) creates a trusted distributed blockchain network. This simplifies consensus and transaction processing for high throughput and confidentiality.
Combine multiple data sources
Combine multiple data sources to support a better algorithmic outcome, without sacrificing data confidentiality.
Example: Secure multi-party machine learning
With confidential computing, you can use machine-learning algorithms across different organisations to better train models, without revealing data to participants or the cloud platform.
Secure sensitive IP
In some cases, your sensitive content is the code and not the data. Protect confidentiality and integrity of your code while it's in use.
Example: Secured content licensing and DRM protection
Protect the integrity of your IP with confidential computing by putting licences in TEEs for DRM-enabled apps.
Explore products and research
Protect your cloud data from advanced security threats. Learn more about available Azure confidential computing options: