Inside The Emerging Enterprise Security Revolution
With organizations deploying infrastructure of increasing complexity in the cloud to meet data-management obligations, demand is growing for solutions that provide comprehensive defense against sophisticated cyber-attacks and social engineering exploits. Conventional encryption strategies provide protection for data while stored on disk or in transit over the network but ignore data in use while being processed in a CPU or GPU.
Trusted Execution Environment (TEE) enclaves present an exciting opportunity to rethink existing approaches to security and data integrity for something that’s far simpler and safer. Integrating a TEE enclave ad-hoc, while technically feasible, it is sub-optimal for most enterprises. With all new hardware-based security paradigm is now just a few clicks away in Azure with DCsv3 virtual machines providing support for Intel® SGX.
DCsv3 VMs which are now generally available has six times the CPU cores of the previous generation and 12 times the memory. They also feature 1500 times the Enclave Page Cache (EPC) memory as compared to the previous generation which, together allows you to leverage the power of Intel® SGX technology on workloads that are much larger.
Cloud infrastructure running critical applications constantly encounter advanced and persistent security threats. An attempt to defend against these threats begin with a system to verify the integrity of infrastructure components. Concerted effort in this direction has resulted in a range of new security measures that together form the basis of “trusted launch”, encompassing Secure Boot and virtual trusted platform module (vTPM).
Trusted Launch support for DC series
Today, we are announcing Trusted Launch support for DCsv3/DCdsv3 VMs. Customers can now select “Trusted Launch” as the security type, to enable secure boot and vTPM.
Create DCsv3 virtual machine with Trusted Launch
There are different ways to create DCsv3 virtual machine with “Trusted Launch” feature auto enabled on Azure.
Using the Azure az CLI:
The Azure az CLI is a command line tool that allows you to use same commands on all supported platforms: Windows, Linux, or Mac. The following example shows how to use the az command to create a DCsv3 virtual machine with “Trusted Launch” auto enabled.
az group create \
--name "acc-secureboot-rg" \
If you prefer using a graphical user interface, the same provisioning can be done directly on the Azure portal. This method supports custom templates for added flexibility in deployment.
After logging into Microsoft Azure portal, click “Azure virtual machine”
Choose “Trusted launch virtual machines” for the security type parameter.
Select “Configure Security features” and then enable Secure Boot and vTPM.
Finally, click “create”.
Custom templates are JSON files that define the resources you need to deploy for your solution using the Azure Portal GUI. To understand the concepts associated with deploying and managing your Azure solutions with custom templates, see template deployment overview.
Configure the securityProfile section under the VM Deployment section as follows: