Azure Unblogged - Azure Confidential Computing

Published Sep 07 2021 11:59 PM 1,991 Views
Microsoft

In this episode of Azure Unblogged, Thomas Maurer speaks with Stefano Tempesta about Azure Confidential computing. Confidential computing is the protection of data in use by performing computation in a hardware-based Trusted Execution Environment (TEE). While cloud-native workloads data is typically protected when in transit through networking encryption (i.e. TLS, VPN), and at rest (i.e. encrypted storage), confidential computing enables data protection in memory while processing.

 

Azure confidential computing allows you to isolate your sensitive data while it's being processed in the cloud. Many industries use confidential computing to protect their data by using confidential computing to:

  • Secure financial data
  • Protect patient information
  • Run machine learning processes on sensitive information
  • Perform algorithms on encrypted data sets from multiple sources

We know that securing your cloud data is important. We hear your concerns. Here's just a few questions that our customers may have when moving sensitive workloads to the cloud:

  • How do I make sure Microsoft can't access data that isn't encrypted?
  • How do I prevent security threats from privileged admins inside my company?
  • What are more ways that I can prevent third-parties from accessing sensitive customer data?

Microsoft Azure helps you minimize your attack surface to gain stronger data protection. Azure already offers many tools to safeguard data at rest through models such as client-side encryption and server-side encryption. Additionally, Azure offers mechanisms to encrypt data in transit through secure protocols like TLS and HTTPS. Azure Confidential Computing introduces a third leg of data encryption - the encryption of data in use.

 

You can watch the video here or on Channel 9

 

 

Learn more:

3 Comments
Deleted
Not applicable

Great information.

Do these hardware-based CPUs (used for confidential computing) add latency while processing?

Senior Member

This is seriously cool and innovative stuff :) Thanks for sharing!!!

 

Happy Azure Stacking!!!

Microsoft

In answer to the comment whether hardware-based encryption of trusted execution environments bring performance penalty.

 

Let's take the case of Intel SGX enclaves, that provide hardware enforced confidentially and integrity guarantees for running computations. This is achieved mainly by encrypting all information as it leaves the CPU, effectively shielding data in the memory from external observers.

 

Yes, there is an overhead of running computations inside an enclave. You would expect some overhead due to the added encryption and decryption complexity. In addition, extra security measures such as integrity tests and memory usage limitations can also effect performance.

 

The performance overheads can result from two main aspects: first is the actual overhead of executing CPU instructions and accessing the encrypted memory in an enclave. The second is the overhead associated with entering and exiting an enclave.

 

It's hard to provide exact figures on performance impact. A lot depends on the data volume that is processed.

  • When running on large inputs, code running inside enclaves can typically achieve very high throughput, on par with code running outside enclaves.
  • For small inputs, there may be some overhead of invoking enclave calls. This is because enclaves are only invoked via a special interface called ECALL. The ECALLs are known to have a performance impact due to the CPU’s context switches.
%3CLINGO-SUB%20id%3D%22lingo-sub-2731459%22%20slang%3D%22en-US%22%3EAzure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIn%20this%20episode%20of%20Azure%20Unblogged%2C%20Thomas%20Maurer%26nbsp%3Bspeaks%20with%20Stefano%20Tempesta%20about%20Azure%20Confidential%20computing.%20Confidential%20computing%20is%20the%20protection%20of%20data%20in%20use%20by%20performing%20computation%20in%20a%20hardware-based%20Trusted%20Execution%20Environment%20(TEE).%20While%20cloud-native%20workloads%20data%20is%20typically%20protected%20when%20in%20transit%20through%20networking%20encryption%20(i.e.%20TLS%2C%20VPN)%2C%20and%20at%20rest%20(i.e.%20encrypted%20storage)%2C%20confidential%20computing%20enables%20data%20protection%20in%20memory%20while%20processing.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20confidential%20computing%20allows%20you%20to%20isolate%20your%20sensitive%20data%20while%20it's%20being%20processed%20in%20the%20cloud.%20Many%20industries%20use%20confidential%20computing%20to%20protect%20their%20data%20by%20using%20confidential%20computing%20to%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESecure%20financial%20data%3C%2FLI%3E%0A%3CLI%3EProtect%20patient%20information%3C%2FLI%3E%0A%3CLI%3ERun%20machine%20learning%20processes%20on%20sensitive%20information%3C%2FLI%3E%0A%3CLI%3EPerform%20algorithms%20on%20encrypted%20data%20sets%20from%20multiple%20sources%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWe%20know%20that%20securing%20your%20cloud%20data%20is%20important.%20We%20hear%20your%20concerns.%20Here's%20just%20a%20few%20questions%20that%20our%20customers%20may%20have%20when%20moving%20sensitive%20workloads%20to%20the%20cloud%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EHow%20do%20I%20make%20sure%20Microsoft%20can't%20access%20data%20that%20isn't%20encrypted%3F%3C%2FLI%3E%0A%3CLI%3EHow%20do%20I%20prevent%20security%20threats%20from%20privileged%20admins%20inside%20my%20company%3F%3C%2FLI%3E%0A%3CLI%3EWhat%20are%20more%20ways%20that%20I%20can%20prevent%20third-parties%20from%20accessing%20sensitive%20customer%20data%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EMicrosoft%20Azure%20helps%20you%20minimize%20your%20attack%20surface%20to%20gain%20stronger%20data%20protection.%20Azure%20already%20offers%20many%20tools%20to%20safeguard%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity%2Ffundamentals%2Fencryption-atrest%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_self%22%20data-linktype%3D%22relative-path%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3Edata%20at%20rest%3C%2FSTRONG%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethrough%20models%20such%20as%20client-side%20encryption%20and%20server-side%20encryption.%20Additionally%2C%20Azure%20offers%20mechanisms%20to%20encrypt%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity%2Ffundamentals%2Fdata-encryption-best-practices%3FWT.mc_id%3Dmodinfra-36604-thmaure%23protect-data-in-transit%22%20target%3D%22_self%22%20data-linktype%3D%22relative-path%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3Edata%20in%20transit%3C%2FSTRONG%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethrough%20secure%20protocols%20like%20TLS%20and%20HTTPS.%20Azure%20Confidential%20Computing%20introduces%20a%20third%20leg%20of%20data%20encryption%20-%20the%20encryption%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Edata%20in%20use%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20watch%20the%20video%20here%20or%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FAzure-Unblogged-Azure-Confidential-Computing%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EChannel%209%3C%2FA%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FAzure-Unblogged-Azure-Confidential-Computing%2Fplayer%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20width%3D%22960%22%20height%3D%22540%22%20frameborder%3D%220%22%20allowfullscreen%3D%22allowfullscreen%22%20title%3D%22Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%20-%20Microsoft%20Channel%209%20Video%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELearn%20more%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fsolutions%2Fconfidential-compute%2F%3FWT.mc_id%3Dmodinfra-36604-thmaure%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Confidential%20Computing%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconfidential-computing%2F%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EACC%20docs%20and%20samples%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-confidential-computing%2Fbg-p%2FAzureConfidentialComputingBlog%3FWT.mc_id%3Dmodinfra-36604-thmaure%22%20target%3D%22_blank%22%3EACC%20blog%26nbsp%3B%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2731459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Azure%20Unblogged%20-%20Azure%20Confidential%20Computing.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F308836i95C687AF25DE561C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Azure%20Unblogged%20-%20Azure%20Confidential%20Computing.jpg%22%20alt%3D%22Azure%20confidential%20computing%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20confidential%20computing%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20this%20episode%20of%20Azure%20Unblogged%2C%20Thomas%20Maurer%20speaks%20with%20Stefano%20Tempesta%20about%20Azure%20Confidential%20computing.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2731459%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThomas%20Maurer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2731591%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731591%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20information.%3C%2FP%3E%3CP%3EDo%20these%20hardware-based%20CPUs%20(used%20for%20confidential%20computing)%20add%20latency%20while%20processing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2731621%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731621%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20seriously%20cool%20and%20innovative%20stuff%20%3A)%3C%2Fimg%3E%20Thanks%20for%20sharing!!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20Azure%20Stacking!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2733798%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Unblogged%20-%20Azure%20Confidential%20Computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2733798%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20answer%20to%20the%20comment%20whether%20hardware-based%20encryption%20of%20trusted%20execution%20environments%20bring%20performance%20penalty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELet's%20take%20the%20case%20of%20Intel%20SGX%20enclaves%2C%20that%20provide%20hardware%20enforced%20confidentially%20and%20integrity%20guarantees%20for%20running%20computations.%20This%20is%20achieved%20mainly%20by%20encrypting%20all%20information%20as%20it%20leaves%20the%20CPU%2C%20effectively%20shielding%20data%20in%20the%20memory%20from%20external%20observers.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYes%2C%20there%20is%20an%20overhead%20of%20running%20computations%26nbsp%3Binside%20an%20enclave.%20You%20would%20expect%20some%20overhead%20due%20to%20the%20added%20encryption%20and%20decryption%20complexity.%20In%20addition%2C%20extra%20security%20measures%20such%20as%20integrity%20tests%20and%20memory%20usage%20limitations%20can%20also%20effect%20performance.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20performance%20overheads%20can%20result%20from%20two%20main%20aspects%3A%20first%20is%20the%20actual%20overhead%20of%20executing%20CPU%20instructions%20and%20accessing%20the%20encrypted%20memory%20in%20an%20enclave.%20The%20second%20is%20the%20overhead%20associated%20with%20entering%20and%20exiting%20an%20enclave.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt's%20hard%20to%20provide%20exact%20figures%20on%20performance%20impact.%20A%20lot%20depends%20on%20the%20data%20volume%20that%20is%20processed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EWhen%20running%20on%20large%20inputs%2C%20code%20running%20inside%20enclaves%20can%20typically%20achieve%20very%20high%20throughput%2C%20on%20par%20with%20code%20running%20outside%20enclaves.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EFor%20small%20inputs%2C%20there%20may%20be%20some%20overhead%20of%20invoking%20enclave%20calls.%20This%20is%20because%20enclaves%20are%20only%20invoked%20via%20a%20special%20interface%20called%20ECALL.%20The%20ECALLs%20are%20known%20to%20have%20a%20performance%20impact%20due%20to%20the%20CPU%E2%80%99s%20context%20switches.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Sep 07 2021 11:59 PM
Updated by: