In this post, we’ll show you how to build a Personal Identifiable Information (PII) - protecting web application architecture using Azure confidential computing (ACC). ACC completes your traditional cloud privacy with protections for data in use based on state-of-the-art hardware available in Azure today.
The diagram below showcases a typical architecture pattern for hosting a web application (e.g. On-Premises or Cloud Platform):
Typical architecture for a web application
The problem with this typical approach is that malicious actors could gain access to, as well as manipulate, sensitive data running on this architecture. For example:
Azure confidential computing enhances the security posture of your applications by protecting data and code when in use, that is when running and being processed in memory. This additional level of protection elevates the existing security posture in Azure by running application in hardware-encrypted trusted execution environments.
For an overview of what Azure confidential computing offers, please refer to this article: Navigating confidential computing across Azure.
Next, we'll show you how to enhance your web application privacy with Azure confidential computing.
Confidential architecture leveraging Azure confidential computing services
All components of this architecture, including Sensitive Data, Sensitive Data Encryption Keys, Sensitive Application Logic and Sensitive Application logs - are hosted at or above the blue dotted line highlighted below:
Trust boundary across Azure confidential computing services.
To transform an existing (or net-new) application to leverage confidentiality via ACC – the following activities can be easily accomplished for each of the 3 tiers of the application: Data, Code and Logs:
A live demonstration of this architecture pattern is showcased in the short demo video below. In this demonstration, we leverage a Confidential VM to emphasize one core point - no code changes are required of an existing application (in our case, an ASP.NET Web App) to run on an AMD Sev-SNP enabled Virtual Machine on Azure:
Instructions on how to publish this app are described on the author's GitHub repo.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.