Microsoft Azure Attestation empowers Azure confidential computing (ACC) customers to ensure security and integrity of their sensitive workloads, providing them with unparalleled protection and peace of mind. We firmly believe that giving customers the ability to establish outright trust with our services is a vital aspect of providing security assurances. Further, customers are also seeking a seamless and interoperable experience for attesting trusted execution environments (TEEs) across clouds. Attestation standardization is essential for ensuring an interoperable and consistent experience for all customers.
Therefore, advancing attestation standards and ensuring customers’ trust are paramount to Microsoft. In this article, we will discuss our progress and future plans for achieving these objectives.
Microsoft’s efforts to promote attestation standardization
In addition to promoting attestation standards, we are also committed to incorporating standards within Azure Attestation. Attestation token generated by Azure Attestation adheres to the IETF Entity Attestation Token (EAT) format. The token includes claims defined in the IETF EAT draft and JWT specifications. To stay current with evolving standards, we will continuously monitor and aim to implement any new standardized claims within the attestation token.
We welcome the opportunity to collaborate on the unification of EAT aligned attestation token formats with any current or future attestation solutions. If you are interested, please initiate a request for collaboration here
Establishing trust in Azure Attestation
Azure Attestation protects customers’ data in-use by running its critical operations inside an Intel® Software Guard Extensions (Intel® SGX) enclave. Critical operations of the service like quote validation, token generation, policy evaluation and token signing are performed in an enclave to ensure that Microsoft cannot interfere in the attestation process. Therefore, establishing trust with the service includes steps to validate its implementation within an enclave. Today, Azure Attestation customers are enabled to perform the steps outlined below:
1. Verify integrity of the attestation token generated by the service 2. Confirm SGX implementation of the service 3. Validate binding of the attestation token with SGX implementation of the service 4. Confirm if the attestation token originates from the legitimate Azure Attestation, based on the service code measurements
To learn more and refer code samples, see Azure Attestation documentation. If you require additional measures to ensure trust in our service, please submit a support ticket here.
Our ultimate goal is to empower Azure customers with unconditional real-time trust in confidential computing services like Azure Attestation. We will strive to offer new options to cater to your transparency requirements and publish blogs to boost trust in Azure Attestation. To reach a definitive outcome in regard to attestation standards, we are committed to continuously making valuable contributions to the attestation industry.