The growth of “confidential computing” approaches will help clear away any “last mile barriers” for enterprises that are concerned about processing highly sensitive data in the cloud, Microsoft Azure chief technology officer Mark Russinovich believes.
Microsoft in September announced the launch of Azure confidential computing as a limited preview, using the SGX (Software Guard Extensions) capabilities of Intel’s Skylake CPUs to create a hardware-based Trusted Execution Environment (or “enclave”). (Microsoft also announced it would offer Virtual Secure Mode, a software-based TEE for its Hyper-V hypervisor.)
The Azure CTO describes the trusted enclave at the heart of confidential computing as a “little black box” that not even Microsoft can retrieve unencrypted data from.
“When you run your computation and store your data in an SGX enclave, nothing outside of that enclave can see what’s in it,” Russinovich said. “It’s encrypted, down at the processor level, and nothing can tamper with what’s in it.”
It is possible to cryptographically confirm that the expected code is running within the enclave, however.
“We worked closely with Intel to be the first public cloud to introduce Skylake servers into a public cloud data centre and then made them available through a limited preview where customers can sign up and we work with them to give them access to the servers, to start to play with this kind of technology,” Russinovich told Computerworld during a visit to Australia that coincided with Microsoft’s launch of new cloud regions and the company receiving the greenlight to store and process classified government data within Azure.
The next step will likely be an expansion of the private preview followed by a public preview and then general availability, the CTO said.
“The timelines are still being determined based on the customer requirements we have coming in and the maturation of the technologies,” he added.
Russinovich said that confidential computing can offer greater security assurance for highly sensitive data ranging from real-time telemetry and geolocation data received from cars, through to banks’ financial data and the data of health-care providers that want to use cloud-based machine learning services.
“In fact, one of the very exciting scenarios that we see interest in is what’s called ‘multi-party machine learning’, where different providers, holders of different data sets, can combine those data sets and have machine learning algorithms do computation across them,” Russinovich said.
Such an approach could offer a boost to cancer research, for example, by allowing data drawn from multiple providers to be analysed in the cloud without leaking individual data sets to parties that shouldn’t have access to it.
“This is just going to become a fundamental defence-in-depth for protection of any customer data,” the CTO said.
“Even if they’re comfortable with having it in the cloud, this provides another level of protection around that data. As the technology becomes more accessible, you’ll see this become, I think, the standard way that everybody processes their most sensitive data in a cloud environment.”
Microsoft also has an internal prototype of a new version of SQL Server’s Always Encrypted feature based on the enclave concept. “It puts the SQL query engine inside of the enclave,” Russinovich said.
“A customer then can get an assurance that it is SQL Server running inside of that and then release keys that will allow the SQL query engine to decrypt the customer’s data – so pull in that data encrypted and then perform queries on it.
“That SQL query processor is protected by the enclave from the surrounding environment. If you take a look at what was possible before with the first versions of SQL Always Encrypted, you could encrypt data as it went into your SQL database, but the SQL query engine — because it only saw encrypted data — cannot perform rich queries on it, for example a range query.”
“With this new version of Always Encrypted based on enclaves, if you release the key to decrypt that column to the SQL query processor, then you can perform rich computations on top of it,” he added.
The feature is expected to be opened for public preview later this year.