Announcing: Microsoft transforms Licensing with Cloud Security and Confidential Computing
Microsoft is proud to announce the successful migration of its Windows Licensing Service to Azure, leveraging cutting-edge Confidential Computing and Managed Hardware Security Modules (mHSM) technology. This marks a significant breakthrough in the cloud adoption journey for workloads operating in highly secure environments, reshaping the way Microsoft’s licensing services operate securely at scale. But what did it really take to move one of Microsoft’s most security-critical services to the cloud? Read on to uncover how the team enabled the largest cryptographic workload ever run in Azure—built on high-assurance infrastructure designed for secure, high-throughput operations. Migrating highly secure workloads is made possible with the help of Confidential computing and Managed HSM empowering organizations handling highly secure, high-throughput, and confidential workloads to operate with greater confidence, flexibility, and value. Advancing Security and Throughput The Microsoft Windows Key Management Licensing Service (MKMS) is built around the protection and management of high-value cryptographic keys, which are central to its security model. This service processes billions of licensing requests and related cryptographic operations each day, using these keys to ensure that only authorized individuals have access to their Windows operating systems, desktop applications, and games. Through its focus on secure key management, MKMS supports the authenticity of software licenses and the protection of sensitive data, making secure Windows licensing possible on a global scale. With the integration of Confidential Virtual Machines (CVM) and Managed Hardware Security Modules, the service now meets modern high-security requirements by extending this rigorous protection into the cloud environment. This evolution not only reinforces Microsoft's dedication to safeguarding sensitive cryptographic operations but also ensures that customers can trust the reliability and security of their licensing experience. Building Trust by Moving to Azure Transitioning from multiple highly secure on-prem datacenters to strategically selected Azure regions has enabled greater reliability, stronger security, and a seamless customer experience for the service. This migration not only aligns with Microsoft’s Secure Future Initiative and delivers CAPEX savings by eliminating the need for hardware refreshes but also unlocks the benefits of cloud-native solutions powered by Confidential Computing and Azure Key Vault Managed HSM. Migrating MKMS licensing service from on-premises infrastructure to Azure has delivered significant operational benefits. Azure’s elastic cloud resources allow us to scale efficiently, adapting to changing workload demands and supporting future growth while optimizing costs by paying only for the resources we use. Distributing services across multiple geographic regions in Azure has substantially improved our service availability, minimizing downtime and maintaining consistent delivery even during unexpected events. This geographic redundancy ensures our customers experience fewer disruptions. By utilizing Azure’s performance-driven infrastructure, we have reduced upfront hardware investments and ongoing maintenance costs, while still meeting the high throughput, speed, and reliability necessary for large-scale cryptographic operations—achieving results on par with or better than our previous on-premises environment. Enabling Security with Azure Confidential Computing At the heart of this transformation lies Azure Confidential Computing based on 4th generation AMD EPYC™ CPUs with SEV-SNP, which safeguards sensitive data during processing through hardware-based Trusted Execution Environments (TEEs). This technology prevents unauthorized access, including by cloud administrators and datacenter operators, ensuring robust confidentiality for cryptographic operations that are central to the authenticity of software licenses. Azure encrypts data at rest and in transit, while confidential computing further secures data in use. This added layer of protection addressed essential security requirements for migrating secure workloads to Azure, supporting the safety and integrity of customer data. The migration also incorporated Azure Managed HSM to provide enhanced security and tighter control over cryptographic keys. Complemented by Confidential Virtual Machines and securely attested OS images, the service now operates in a trusted and isolated environment, delivering a resilient and scalable cryptographic foundation —crucial for managing high value cryptographic keys required for Windows licensing. Setting a Benchmark for High-Scale Cryptographic Services Microsoft’s Key Management Licensing Service, leveraging Azure Confidential Computing and the specially engineered high-throughput Managed HSM capabilities, delivers advanced performance for securely hosting confidential, high-scale workloads in the cloud. These enhanced MHSM features were designed and built to meet the immense demand of this service, enabling it to support the highest throughput cryptographic workload ever run on Azure to date. MKMS is deployed on Azure using a purpose-built, internally attested secure image to ensure a trusted baseline. The deployment leverages Azure confidential VMs, and managed hardware security modules to protect data: all data at rest and in transit is encrypted, with encryption keys secured by FIPS-validated HSMs. In addition, CVM guarantees our service that all data in-use is encrypted and secure as an additional layer of security. Comprehensive logging and monitoring are enabled across the stack: control-plane operations, host OS events, and network traffic are all recorded and analyzed for auditing and threat detection. This defense-in-depth design layers protection from the hardware and hypervisor up through network firewalls and application-level safeguards, ensuring comprehensive resilience against both volumetric and application-targeted attacks. Summary In summary, migration of Windows Licensing to Azure signifies Microsoft’s commitment to driving innovation and security in the cloud. By leveraging Confidential Computing and Managed HSMs, Microsoft is delivering value to billions of users worldwide while reinforcing the trust placed in its services. This achievement highlights the potential of cloud-native technologies to transform traditional mission-critical systems, offering a glimpse into the future of secure and scalable computing.Confidential agentic AI on Azure helps ServiceNow respond to sales commission inquiries in seconds
Introduction AI is transforming how businesses operate and innovate, unlocking opportunities across industries to pioneer new business models, solve previously intractable challenges, and create breakthrough experiences. ServiceNow is at the forefront, deploying powerful, confidential AI agents leveraging confidential computing. Their sales commission help desk faced mounting challenges, supporting their sales force. With thousands of commission inquiries annually requiring access to sales compensation plan information, the help desk needed a solution to accelerate response times while maintaining strict data privacy and security standards. Applications ServiceNow Digital Technology leverages cutting-edge AI to streamline business operations, increase operational efficacy, and enhance employee experiences. The sales commission help desk handles inquiries ranging from policy questions to payout explanations, requiring aggregation and analysis of sensitive data from multiple systems. The manual process of responding to these inquiries—which involves gathering, anonymizing, and analyzing sensitive employee data, sales quotas, and commission structures—created bottlenecks, with resolution times stretching to days for the most complex cases. Use Cases To address ongoing commission management challenges, ServiceNow’s Digital Technology team partnered with Opaque Systems and Azure confidential computing team to design, build, and implement Confidential Agents that enable secure, autonomous AI systems with cryptographic privacy guarantees and auditability. The solution provides their help desk team with instantaneous access to encrypted personal commission data across multiple systems, while AI agents automatically analyze requests and generate custom responses. By integrating securely with various data sources, the system maintains strict privacy controls and compliance while delivering rapid, trusted insights. Every action taken by the AI agents is cryptographically verified, creating an immutable record of data access and usage. This generates detailed audit trails that meet compliance and strengthen governance protocols. Through hardware-based encryption on Azure NCCads H100 v5 confidential virtual machines augmented by NVIDIA H100 Tensor Core GPUs for accelerated computing running on their Microsoft Azure subscription service, the services built by ServiceNow can now harness the full power of AI technology without compromising on capabilities. Opaque’s Confidential AI Platform unlocks new performance potential of AI models that demand high-performing computational resources for all the commission requests, while maintaining robust protection of compensation data, setting a new standard for secure, efficient commission management. Accelerate, Reclaim, and Save Opaque's Confidential AI Agents architecture was uniquely built with NVIDIA H100s to help ServiceNow’s transformation. Once AI agents are connected to sensitive data, every aspect of agent operation maintains verifiable privacy and security, including real-time attestation that verifies agent authenticity and integrity, comprehensive audit trails of all agent actions and data interactions, cryptographic enforcement of data access and usage policies, and protection of valuable agent models and intellectual property. This combination of autonomous capability and verifiable privacy and security makes it ideal for ServiceNow to leverage for sensitive sales commission data while maintaining the highest standards of privacy and trust. The implementation of Opaque's Confidential AI Agents delivered strong results across ServiceNow's sales operations. Average response times decreased from 4 days to just 8 seconds, dramatically improving service delivery. Sellers can find quick summaries of Sales Success Center material and links to learn more. They also reported a 74% accuracy rate of agent responses, demonstrating high relevancy. Beyond operational improvements, ServiceNow improved operating costs while simultaneously strengthening their security posture through confidential computing. Most importantly, this has freed up the help desk team to focus on more strategic, high-value work while delivering faster, more accurate support to the sales force, creating a virtuous cycle of improved efficiency and satisfaction. Learn more Azure confidential VMs with NVIDIA H100 Tensor Core GPUs Azure confidential GPU Options Opaque’s Confidential AI Platform NVIDIA H100 Tensor Core GPUsAzure Confidential VMs help keep BMW Group’s identities and passwords protected while in use
Evolving identity and access management for the cloud Security, performance, and reliability are the guiding principles behind Microsoft's identity and access management solutions. These solutions empower organizations to maintain their competitive edge by leveraging technology effectively. With Microsoft's robust cloud infrastructure, customer business teams, plant workers, and external vendors can manage huge workloads independently and around the clock. Collaborative success is facilitated, ensuring timely results and efficient release cycles, helping businesses like the BMW Group stay at the forefront of their markets. Before it can achieve results or make a measurable impact, the BMW Group must give every employee, including independent workers, highly safe and secure access to company systems and devices. It’s for that reason the whole company couldn’t function without identity management authentication. If employees can’t securely sign in to their systems and workstations, all work comes to a halt. Microsoft's identity and access management solutions play a crucial role in enhancing security, efficiency, and user experience across various industries. For the BMW Group specifically, conversations about identity systems are occurring against a backdrop of organization-wide modernization. The company chose to move to the cloud early on so it could unlock more opportunities for on-demand flexibility, scalability, and fast access to technological innovations, especially new and advanced security features. As the BMW Group started to migrate its IT estate to Microsoft Azure, it also wanted a more secure platform for its on-premises Microsoft Active Directory environment and domain controllers. The group has some older applications that require Active Directory identification and access services but aren’t yet compatible with next-generation, cloud-native Microsoft Entra ID protection. Some of these IT systems, servers, and applications are also old, difficult, and expensive to replace but essential to support onsite business or are standard in the automotive industry, such as the hardware and software components built into plant machinery used for car production. Use of this machinery can extend beyond 30 years. Given the dependencies, the BMW Group focuses more on building a foundation to boost reliability and stability for its production processes than integrating them with a modern authentication system. In response, the BMW Group wanted to use its on-premises Active Directory licenses to migrate existing Active Directory servers and domain controllers to Azure while actively protecting data and storage resources, the privacy of data in server memory, and its overall operations. Maintaining critical infrastructure with confidential virtual machines on Azure Considering the criticality and sensitivity of its services, the BMW Group was interested in evaluating confidential computing, a technology that helps protect highly sensitive data that is in use in server memory. When the BMW Group started to look at confidential computing, Microsoft was the only vendor offering a generally available confidential computing platform for the BMW Group to bring their Active Directory domain controllers to the cloud: the Azure DCasv5 confidential virtual machines (VMs) using 3rd generation AMD EPYC™ processors. This technology allowed them to do the migration without changing any code. BMW Group IT specialists decided to start with confidential VMs running Active Directory services as a tier 0 workload in Azure to tighten security and put those servers on a future-proven track for how to continue operating Active Directory for the next 5–10 years. As it started using confidential VMs, the BMW Group appreciated being able to eliminate several potential attack paths as it used domain controllers in a public cloud environment for the first time. Without confidential computing, the datacenter operator, host operator, and VM host operator could have been able to access company systems and the Active Directory database. On top of the added security benefits moving forward, the BMW Group IT specialists also remarked that performance for workloads and applications didn’t suffer running on the AMD based confidential VMs, which greatly reduced worries about potential lapses in availability while making the switch. The group’s Azure DCasv5 confidential VMs using 3rd generation AMD EPYC™ processors have quickly become the center of its architecture and the main component for its domain controllers. Staying within the Microsoft ecosystem for daily identity administration, its privileged access workstation relies on Intune, Azure Bastion, Azure Key Vault, Azure Key Vault Managed HSM, and other Microsoft Security services. Additionally, many of its modern applications that don’t require earlier Active Directory support are onboarded directly to Entra ID. Changing attitudes, adopting a Zero Trust security model, and measuring success Many organizations recognize that security and identity and access management are two pieces of the same puzzle, each with an essential role in their organization’s operations. The BMW Group’s staff have helped build a castle, strengthening security from the outside in, and any activity within the network is on the secure side. Now, they are moving to a Zero Trust framework, which removes any implicit trust and requires each component, supplier, and authentication process to be thoroughly assessed and validated before being granted access. From this internal perspective, the main challenge is to upskill everybody in their team. It’s a completely different way to deploy infrastructure, which is now mainly done by code instead of requesting and installing a physical server. But the result for BMW Group customers is an almost invisible benefit that’s extremely meaningful. It was key not to have any downtime or business impacts, and company staff successfully and seamlessly deployed services for customers with the first bunch of domain controllers running on Azure, without those customers noticing or having to worry about where services were coming from. The group’s main measure of success is getting rid of all its on-premises components, including all on-premises servers and many supporting systems previously needed to offer and support BMW Group services. In doing so, the BMW Group will have all of its systems needed for Active Directory operation hosted on Azure. Achieving security goals and sharing cloud experiences across the business The BMW Group’s new highly secure architecture and DCasv5 confidential VMs touch every part of the business across the full life cycle of identities and are used by internal and external employees, large and strategic partners, and joint venture partners. Boosting security and safeguarding its platform were the company’s main goals and are now its main benefits. The BMW Group is heavily reducing its risk, with the main goal of making it very difficult for an attacker to get into its systems. Microsoft's geographically widespread Azure datacenters enhance businesses' ability to support local branches and plants, increasing service availability and distribution around the globe. Planned IT projects at the BMW Group include transitioning to DCasv6 VMs, the newest confidential VMs on Azure using 4th generation AMD EPYC processors, which will bring with them a 30% performance increase over what the company has already gained. IT specialists are also installing Windows Hello for Business on all client devices within the group, letting employees sign in and authenticate themselves using biometrics. With continued success moving its sensitive workloads to Azure, the BMW Group plans to share its experiences with other teams across the organization. It also wants to bring the benefits of its architecture to other core systems that have high demand for identity and access protection, with everything it’s done so far showing what’s possible for the future. Discover more about BMW Group on Facebook, Instagram, LinkedIn, X/Twitter, and YouTube.
Azure Confidential computing VM and OS disk encryption through HSM backed key CMK
Why Confidential Computing with HSM-Backed Keys Is Essential: In today’s cloud-first world, protecting sensitive data during processing is just as critical as securing it at rest or in transit. Azure Confidential Computing (ACC) Virtual Machines, when combined with Hardware Security Module (HSM)-backed Customer-Managed Keys (CMKs), provide a robust solution for organizations with strict security and compliance requirements. In this blog, we’ll explore a scenario and walk through a step-by-step solution to meet these advanced data protection needs. Scenario: Customer needs a highly sensitive application – May be its processing financial transactions, handling healthcare data or supporting a government workload. Customer demands not only high performance and isolation, but also complete encryption backed by Hardware Security Models (HSM) Solution: Components: Azure Confidential Computing Virtual Machine (ACC VM) Key Vault Premium (HSM Backed Key) Key Vault Key (CMK) Disk Encryption Set ACC VM with HSM CMK disk encryption Azure Confidential Computing (ACC) VMs are designed to protect data in use by performing computations in a hardware-based Trusted Execution Environment (TEE). This ensures that data remains secure even when it is being processed. Disk Encryption with HSM (Hardware Security Module) involves using HSM-backed keys stored in Azure Key Vault to encrypt the disks of your VMs. This provides an additional layer of security by ensuring that encryption keys are stored in a highly secure environment Importance of Confidential VMs Confidential VMs are crucial for organizations that handle sensitive data and require enhanced security measures. They provide the following benefits: Data Protection: Confidential VMs protect data in use, ensuring that it remains secure even during processing. Compliance: They help organizations meet regulatory and compliance requirements by providing robust security measures. Trust: By using hardware-based TEEs, Confidential VMs build trust with customers and stakeholders by ensuring that data is protected at all times Confidential VM Disk Encryption: Confidential VM OS Disk Encryption with Customer-Managed Keys (CMK) using Key Vault Premium tier backed Hardware Security Module (HSM) key provides enhanced security for virtual machines (VMs). This guide will walk you through the steps to configure confidential vm os disk Encryption with Key Vault Premium (HSM Backed Key) The following resources must be created in sequence to deploy Azure Confidential Computing (ACC) VMs with OS disk encryption using HSM-backed Customer-Managed Keys (CMKs) Key Vault with Premium Pricing Tier(HSM Backed Key) Disk Encryption Set utilizing HSM key Azure Confidential VM with Disk Encryption Set Prerequisites to create ACC VM 1. An Azure subscription. Free trial accounts don't support confidential VM. 2. To set up Confidential disk encryption with a customer-managed key, execute the command below to opt in the Confidential VM Orchestrator service principal to your tenant. Connect-Graph -Tenant "your tenant ID" Application.ReadWrite.All New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator" 3. Ensure that your subscription includes the following sizes, as Confidential VMs are supports these VM sizes only General Purpose without local disk: DCasv5-series, DCesv5-series General Purpose with local disk: DCadsv5-series, DCedsv5-series Memory Optimized without local disk: ECasv5-series, ECesv5-series Memory Optimized with local disk: ECadsv5-series, ECedsv5-series NVIDIA H100 Tensor Core GPU powered NCCadsH100v5-series 4. OS images for confidential VMs must meet specific security requirements to support a confidential OS disk encryption and ensure isolation from the underlying cloud infrastructure. Refer to the following link for the most up-to-date list of supported OS images for Azure Confidential Computing (ACC) VMs: OS Support Images Steps to Configure Azure Disk Encryption Set with Key Vault Supported HSM Step 1: Create a Key Vault with Premium Pricing Tier 1. Create Key Vault: Use the following command to create a Key Vault with the Premium pricing tier, which supports HSM-backed keys. az keyvault create --name <keyvaultName> --resource-group <resourceGroupName> --location <location> --sku premium --enable-rbac-authorization false 2. Enable Purge Protection: Enable purge protection to add an extra layer of security. az keyvault update --name <keyvaultName> --resource-group <resourceGroupName> --enable-purge-protection true 3. Configure Access Policy: Set the access policy to allow necessary permissions to user Manged identity. If you don’t have any user managed identity you can create one. az keyvault set-policy --name <keyvaultName> --object-id <user-managed-identity-object-id> --secret-permissions get list --key-permissions get list --certificate-permissions get list 4. Create HSM-backed Key: Create an HSM-backed CMK key in the Key Vault. az keyvault key create --vault-name <keyvaultName> --name <KeyName> --protection hsm Step 2: Create a Disk Encryption Set 1. Create Disk Encryption Set: Use the following command to create a Disk Encryption Set that will use the HSM-backed key. az disk-encryption-set create --resource-group <resourceGroupName> --name <diskEncryptionSetName> --key-url <https://<vaultEndpoint>/keys/<keyName>/<keyVersion>> --source-vault <KeyVaultName> 2. Grant Permissions: Grant necessary permissions to the Disk Encryption Set. az keyvault set-policy --name <keyvaultName> --resource-group <KeyVault Resource Group Name> --object-id $(az disk-encryption-set show --resource-group <rg of diskEncryptionSet> --name <diskEncryptionSetName> --query "identity.principalId" -o tsv) --key-permissions wrapKey unwrapKey get Best Practices Use Purge Protection: Always enable purge protection for your Key Vault to prevent accidental or malicious deletion of keys. Monitor and Audit: Continuously monitor and audit access to your Key Vault and encryption keys to detect any unauthorized access. By following these steps and best practices, you can ensure that your data is securely encrypted using Azure Disk Encryption with Key Vault's HSM-backed keys Step3: Azure Confidential Computing VM Creation and Disk Encryption with HSM Key Create the ACC VM: Use the following command to create an ACC VM and encrypt OS disk with diskEncryptionSet. az vm create --resource-group <RG of VM> --name <VM_Name> --image <Image name from supported list of os image ex. "Canonical:0001-com-ubuntu-confidential-vm-jammy:22_04-lts-cvm:latest"> --size <confidential vm supported size, ex. Standard_DC64ads_v5> --admin-username <UserName> --generate-ssh-keys --enable-vtpm true --public-ip-sku Standard --security-type ConfidentialVM --os-disk-security-encryption-type DiskWithVMGuestState --os-disk-encryption-set $(az disk-encryption-set show --resource-group <rg name diskEncryptionSet> --name <diskEncryptionSet name> --query id -o tsv) By following these steps, you can create an Azure Confidential Computing VM and encrypt its Operating System (OS disk) using the Disk Encryption Set created earlier. Common Questions for Azure Confidential virtual Machine 1. Custom Image can be used for confidential virtual machine (CVM)? Ans: Yes, custom image can use for CVM. Kindly refer => Create a custom image for Azure confidential VMs | Microsoft Learn 2. What Disk SKU and encryption can be used for OS, TEMP, and DATA Disks in CVM with CMK? Ans: For Azure Confidential VMs, the supported disk SKUs are primarily within the "DCasv5" and "ECasv5" series. Supported VM SKUs are => Azure Confidential VM options | Microsoft Learn Confidential OS disk encryption => About Azure confidential VMs | Microsoft Learn Confidential temp disk encryption => About Azure confidential VMs | Microsoft Learn 3. Is CVM Backup supported in Azure backup? Ans: Backup of ACC is not supported in Azure as of nowAnnouncing preview for the next generation of Azure Intel® TDX Confidential VMs
Today, we are excited to announce the preview of Azure’s next generation of Confidential Virtual Machines powered by the 5 th Gen Intel® Xeon® processors (code-named Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX). This will help to enable organizations to bring confidential workloads to the cloud without code changes to applications. The supported SKUs include the general-purpose families DCesv6-series and the memory optimized families ECesv6-series. Confidential VMs are designed for tenants with high security and confidentiality requirements, providing a strong, attestable, hardware-enforced boundary. They ensure that your data and applications stay private and encrypted even while in use, keeping your sensitive code and other data encrypted in memory during processing. Improvements Azure’s next generation of confidential VMs will bring improvements and new features compared to our previous generation. These VMs are our first offering to utilize our open-source paravisor, OpenHCL. This innovation allows us to enhance transparency with our customers, reinforcing our commitment to the "trust but verify" model. Additionally, our new confidential VMs support Azure Boost, enabling up to 205k IOPS and 4 GB/s throughput of remote storage along with 54 GBps VM network bandwidth. We are expanding the capabilities of our Intel® TDX powered confidential VMs by incorporating features from our general purpose and other confidential VMs. These enhancements include Guest Attestation support, and support of Intel® Tiber™ Trust Authority for enterprises seeking operator independent attestation. Offerings The DCesv6-series VMs are designed to offer a balance of memory to vCPU ratio, with up to 128 vCPUs, and up to 512 GiB of memory. The ECesv6-series VMs are designed to offer an even higher memory to vCPU ratio, with up to 64 vCPUs, and 512 GiB of memory. Availability The DCesv6-series and ECesv6-series preview is available now in the East US, West US, West US 3 and West Europe regions. Supported OS images include Windows Server 2025, Windows Server 2022, Ubuntu 22.04, and Ubuntu 24.04. Please sign up at aka.ms/acc/v6preview and we will reach out to you.
Price reduction and upcoming features for Azure confidential ledger!
Effective March 1, 2025, you can keep your records in Azure confidential ledger (ACL) at the reduced price of ~$3/day per instance! The reduced price is for the computation and the ledger use. The price of any additional storage used will remain unchanged. To tamper protect your records: Automatically create hash (e.g. MD5 or SHA256) of your blob storage data and keep those in Azure confidential ledger. For forensics, you can verify the integrity of the data against the signature in ACL. Imagine doing this as you are migrating data from one system to another, or when you restore archived records from cold storage. It is also valuable when there is a need to protect from insider/administrator risks and confidently report to authorities. If you keep your data in Azure SQL database, you can use their security ledger feature to auto generate record digests and store them in confidential ledger for integrity protection and safeguarding. You can use the SQL stored procedure to verify that no tampering or administrator modifications occurred to your SQL data! In addition, we are announcing the preview of User Defined Functions for Azure confidential ledger. Imagine doing a schema validation before writing data to the Ledger or using pattern matching to identify sensitive information in log messages and perform data massaging to mask it. To increase your awareness, request access for this preview via the sign-up form. Get started by reading our documentation and trying out confidential ledger yourself! _____________________________________________________________________________________________________ What is Azure confidential ledger and what is the change? It is a tamper protected and auditable data store backed by a Merkle tree blockchain structure for sensitive records that require high levels of integrity protection and/or confidentiality. While customers from AI, financial services, healthcare, and supply chain continue to use the ledger for their business transaction’s archival needs and confidential data’s unique identifiers for audit purposes, we are acting on their feedback for scaling ledgers to more of their workloads with a more competitive price! How can I use Azure confidential ledger? - Azure SQL database ledger customers can enable confidential ledger as its trusted digest store to uplevel integrity and security protection posture - Azure customers who use blob storage have found value in migrating their workloads to Azure with a tamper protection check via the Azure confidential ledger Marketplace App. - Azure customers who use data stores and databases (e.g. Kusto, Cosmos, and Log Analytics) may benefit from auditability and traceability of logs being kept in the confidential ledger with new compliance certifications in SOC 2 Type 2 and ISO27001. How much does Azure confidential ledger cost? - Approximately $3/day/ledger _____________________________________________________________________________________________________ Resources Explore the Azure confidential ledger documentation Read the blog post on: Integrity protect blob storage Read the blog post on: How to choose between ledger in Azure SQL Database and Azure Confidential Ledger Read the blog post on: Verify integrity of data transactions in Azure confidential ledger View our recent webinar in the Security Community Recent case studies: HB Antwerp & BeekeeperAI
Confidential Temp Disk Encryption for Confidential VMs in Public Preview
We are announcing the public preview of confidential temp disk encryption for confidential VMs. Until recently, confidential encryption has only been available for OS disks. It binds the disk encryption keys to the virtual machine’s TPM (Trusted Platform Module) and makes the disk content accessible only to the VM. With this release, we are extending this protection by enabling encryption of the temp disk, using in-VM symmetric key encryption technology, after the disk is attached to the confidential VM (CVM).Preview of Azure Confidential Clean Rooms for secure multiparty data collaboration
Today, we are excited to announce the preview of Azure Confidential Clean Rooms, a cutting-edge solution designed for organizations that require secure multi-party data collaboration. With Confidential Clean Rooms, you can share privacy sensitive data such as personally identifiable information (PII), protected health information (PHI) and cryptographic secrets confidently, thanks to robust trust guarantees that help ensure that your data remains protected throughout its lifecycle from other collaborators and from Azure operators. This secure data sharing is powered by confidential computing, which helps protect data in-use by performing computations in hardware-based, attested Trusted Execution Environments (TEEs). These TEEs help prevent unauthorized access or modification of application code and data during use. Organizations across industries need to perform multi-party data collaboration with business partners, outside organizations, and even within company silos to improve business outcomes and bolster innovation. Confidential Clean Rooms help derive true value from such collaborations by enabling granular and private data to be shared while providing safeguards on data exfiltration hence protecting the intellectual property of the organization and the privacy of its customers and addressing concerns around regulatory compliance. Whether you’re a data scientist looking to securely fine-tune your ML model with sensitive data from other organizations, or a data analyst wanting to perform secure analytics on joint data with your partner organizations, Confidential Clean Rooms will help you achieve the desired results. You can sign up for the preview here Key Features Secure Collaboration and Governance: Allows collaborators to create tamper-resistant contracts that contain the constraints which will be enforced by the clean room. Governance verifies validity of those constraints before allowing data to be released into clean rooms and helps generate tamper-resistant audit trails. This is made possible with the help of an implementation of the Confidential Consortium Framework CCF). Enhanced Data Privacy: Provides a sandboxed execution environment which allows only authorized workloads to execute and prevents any unauthorized network or IO operations from within the clean room. This helps keep your data secure throughout the workload execution. This is possible with the help of deploying clean rooms in confidential containers on Azure Container Instances (ACI) which provides container group level integrity with runtime enforcement of the same. Verifiable trust at each step with the help of cryptographic remote attestation forms the cornerstone of Confidential Clean Rooms. Salient Use Cases Azure Confidential Clean Rooms caters to use cases spanning multiple industries. Healthcare: For fine-tuning and inferencing with predictive healthcare machine-learning (ML) models and for joint data analysis for advancing pharmaceutical research. This can help protect the privacy of patients and intellectual property of organizations while demonstrating regulatory compliance. Finance: For financial fraud detection through analysis of combined data across banks and other financial institutions and for providing personalized offers to customers through secure analysis of transaction data and purchase data in retail outlets Media and Advertising: For improving marketing campaign effectiveness by combining data across advertisers, ad-techs, publishers and measurement firms for audience targeting and attribution and measurement Retail: For enhanced personalized marketing and improved inventory and supply chain management Government and Public Sector Organizations: For analysis of high security data across multiple government and public sector organizations to streamline benefits for citizens Customer Testimonials We are already partnering with several organizations to accelerate their secure multi-party collaboration journey with confidential clean rooms. Confidential computing in healthcare allows secure data processing within isolated environments, called 'clean rooms', protecting sensitive patient data during AI model development, validation and deployment. Apollo Hospitals uses Azure Confidential Clean Rooms to enhance data privacy, encrypt data, and securely train AI models. The benefits include secure collaboration, anonymized patient privacy, intellectual property protection, and enhanced cybersecurity. Apollo’s pilot with Confidential Clean Rooms showed promising results, and future efforts aim to scale secure AI solutions, ensuring patient safety, privacy, and compliance as the healthcare industry advances technologically. - Dr. Sujoy Kar, Chief Medical Information Officer and Vice President, Apollo Hospitals Azure Confidential Clean Rooms is a game changer to make collaborations on sensitive data both seamless and secure. When combined with Sarus, any data processing job is automatically analyzed using the most advanced privacy technology. Once validated, they are processed securely in Confidential Clean Rooms protecting both the privacy of data and the confidentiality of the analysis itself. This eliminates administrative overheads and makes it very easy to build advanced data processing pipelines. With our partner EY, we're already leveraging it to help international banks improve AML practices without compromising privacy. - Maxime Agostini, CEO & Cofounder of Sarus Read here to learn more about how Sarus is using Confidential Clean Rooms. As co-leaders on this Data Consortium Pilot, we are thrilled to be working with industry partners, Sarus and Microsoft, to drive this initiative forward. By combining Sarus’ privacy preserving technologies and Microsoft’s Azure Confidential Clean Rooms, not only does this project push the edge of technology innovation, but it strives to address a pivotal issue that affects us as Canadians. Through this work, we aim to help financial services organizations and regulators navigate the complexities of private and personal data sharing, without compromising the integrity of the data, and adhering to all relevant privacy regulations. For the purposes of this pilot, we are focusing our efforts on how this technology can play a pivotal role in helping better detect cases of human trafficking, however, we recognize that it can be used to help organizations for multiple other use cases, and cross industries, including health care and government & public sector. - Jessica Hansen, Privacy Partner EY Canada, and Dana Ohab, AI & Data Partner EY Canada Retrieval-Augmented Generation (RAG) applications accessing Large Language Models (LLMs) are common in private AI workflows, but managing secure access to sensitive data can be complex. SafeLiShare’s integration of its LLM Secure Data Proxy (SDP) with Azure Confidential Clean Rooms (ACCR) simplifies access control and token management. The joint solution helps ensure runtime security through advanced Public Key Infrastructure (PKI) and centralized policy management in Trusted Execution Environments (TEEs), enforcing strict access policies and admission controls to guarantee authorized access to sensitive data. This integration establishes trust bindings between the Identity Provider (IDP), applications, and data, safeguarding each layer without compromise. It also enables secure creation, sharing, and management of applications and data assets, ensuring compliance in high-performance AI environments. - Cynthia Hsieh, VP of Marketing, SafeLiShare Read here to learn more about how SafeLiShare is using Confidential Clean Rooms. Learn More Signup for the preview of Azure Confidential Clean Rooms Confidential Consortium Framework (CCF) Confidential containers on Azure Container Instances (ACI)
