We are happy to release the confidential virtual machine (VM) option for Azure Data Explorer.
Azure Data Explorer is a high performant fully managed Azure service that allows customers to run analytics on very large volumes of data and is optimized for interactive, ad hoc queries. With Azure Data Explorer users can analyze petabytes of information in just seconds. By analyzing structured, semi-structured and unstructured data across time series and leveraging machine learning, ADX makes it simple to extract key insights from your data.
Looking at existing encryption technologies found today in organizations we see that most organizations are encrypting their data at rest.
We also see that most organizations are encrypting their data in transit. What is missing in most organizations is the encryption of data stored in the VM’s memory. Here is where Azure Confidential Computing comes to play.
The confidential VM option for ADX is based on AMD EPYC SEV-SNP technology. This technology adds defense in depth by running your ADX workload in a hardware-based and attested trusted execution environment (TEE), with the Azure host OS and hypervisor outside of your workload’s trusted computing base. This helps prevent access to the VM’s data in memory from external threats and even Azure operators.
The recommended confidential VM SKUs for Azure Data Explorer are in the ECasv5 SKU Family. To create a confidential Azure Data Explorer cluster, simply select an ECasv5 SKU during cluster creation. In addition, if you wish to migrate an existing Azure Data Explorer cluster to a confidential VM SKU, all you need to do is to select a confidential VM SKU as the target SKU. There are no code changes required to support this migration. It is a lift and shift simple migration experience.
Most customers who adopt confidential VM SKUs will also encrypt their data using a customer managed key (CMK). When a ECasv5 SKU family is selected, the CMK will be used to encrypt the data stored in blob storage and the attached premium data disks. You can use either ARM of the Azure Portal to deploy or migrate to a confidential VM cluster.
The financial sector is a leading vertical spearheading confidential computing adoption as they have strict compliance regulations of how
to store highly sensitive data. However, any company that manages highly sensitive data, such as government agencies and healthcare companies will highly benefit from this ADX confidential computing solution. In some cases, when highly sensitive data is processed in the cloud, industry and government regulations will require the protection of that data in use and the confidential VM option for ADX helps provide that protection for your workloads on ADX..
To see how to use this capability, watch this demo.
To get started, please read document Select a SKU for your Azure Data Explorer cluster
