Skip Navigation

Azure confidential computing

Protect and secure your cloud data while it’s in use

Take data security to the next level with confidential computing

Azure confidential computing protects the confidentiality and integrity of your data and code while it’s processed in the public cloud. Cloud security is the cornerstone of our confidential cloud vision, which aims to remove Microsoft from the trusted computing base (TCB) of Azure.

What is confidential computing?

Security is a key driver accelerating the adoption of cloud computing, but it’s also a major concern when you’re moving extremely sensitive IP and data scenarios to the cloud.

There are ways to secure data at rest and in transit, but you need to protect your data from threats as it’s being processed. Now you can. Confidential computing adds new data security capabilities using trusted execution environments (TEEs) or encryption mechanisms to protect your data while in use. TEEs are hardware or software implementations that safeguard data being processed from access outside the TEE. The hardware provides a protected container by securing a portion of the processor and memory. Only authorized code is permitted to run and to access data, so code and data are protected against viewing and modification from outside of TEE.

Core components of confidential computing

Innovation across hardware, software, and services is making Azure confidential computing a reality.

Hardware and compute:

Deploy and manage compute instances that are enabled with TEEs.

Get access to hardware-based features and functionality in the cloud before it is broadly available on-premises to build and run SGX-powered applications. The DC-series of virtual machines (VMs) enables the latest generation of Intel Xeon Processors with Intel SGX technology to the Azure cloud. Use these new VMs to build applications that protect data and code in use.

Development:

Develop against a standard enclaving abstraction.

Take advantage of enclave creation and management, system primitives, runtime support, and cryptographic library support. The Open Enclave SDK project provides a consistent API surface around an enclaving abstraction, supporting portability across enclave types and flexibility in architecture. Build portable C/C++ applications against different enclave types.

Attestation:

Verify the identity of TEEs and the code running inside them.

Validate code identity to determine whether to release secrets. Verification is simple and highly available with attestation services.

Research:

Gain insights from Microsoft Research to harden your enclave code.

Explore research on new applications for confidential computing, techniques to harden TEE applications, and tips to prevent information leaks outside the TEE.

Application patterns of confidential computing

Protect data confidentiality and integrity

Protect data in use from malicious insiders with administrative privilege or direct access. Safeguard against hackers and malware that exploit bugs in the operating system, application, or hypervisor. Protect against third-party access without consent.

Example: SQL Server Always Encrypted technology

With the use of confidential computing, SQL Always Encrypted protects sensitive data in use while preserving rich queries and providing in place encryption.

Create a trusted network

Build trust in the infrastructure and application of a network with untrusted participants.

Example: Confidential Consortium Blockchain Framework

With the use of confidential computing, the Confidential Consortium Blockchain Framework creates a trusted distributed blockchain network. This simplifies consensus and transaction processing for high throughput and confidentiality.

Combine multiple data sources

Combine multiple data sources to support a better algorithmic outcome, without sacrificing data confidentiality.

Example: Secure multiparty machine learning

With confidential computing, you can use machine learning algorithms across different organizations to better train models, without revealing data to participants or the cloud platform.

Secure sensitive IP

In some cases, your sensitive content is the code and not the data. Protect confidentiality and integrity of your code while it’s in use.

Example: Secured content licensing and DRM protection

Protect the integrity of your IP with confidential computing by putting licenses in TEEs for DRM-enabled applications .

Explore products and research

Protect your cloud data from advanced security threats. Learn more about available Azure confidential computing options:

Begin creating Azure confidential computing VMs.

Start developing with Open Enclave SDK.