Confidential Computing For Azure Virtual Machines

This article provides an introduction to Confidential Computing and how to spin a Confidential Compute enabled Virtual Machine in Azure.

Introduction

Security is a key factor when dealing with data in the cloud. The data should be secured and encrypted to prevent any data breaches or data security incidents. The web world is full of hackers and opportunists who keep on looking for loopholes in the system and steal data, thus compromising data security of the client. The data has to be tightly secured in the cloud.

There are many mechanisms to encrypt and secure data at rest in Azure. Even the data on transit can also easily be secured and made hack proof. But what about the data that is in use by an application hosted on Azure? The answer to this is Confidential Computing. Azure Confidential Computing makes sure that the data in use is secured, thus providing a foolproof data security mechanism to the client.

Azure offers DC series virtual machines that support Confidential Computing. These Virtual Machines leverage Intel SGX technology thus making use of Trusted Execution Environment to handle data in use.

Trusted Execution Environment

Trusted Execution Environment is a highly confidential, secure, and isolated environment where the application code and the data executes. This secured and isolated area can sit inside the Central Processing Unit (CPU) of the system. This secured area or the environment is also termed Enclave.

When the application code executes in this secured area along with its data, there is no way the data can be accessed even by the debuggers. Only the authorized code can access the data. Hence there is no chance of tampering the data that is being processed by the authorized code. No malware or hackers or malicious insiders can gain access to the data that is being used in the Trusted Execution Environment.

Creating a Virtual Machine with Confidential Computing enabled

Let us create a Virtual Machine with Confidential Computing enabled using the Azure portal. Below are steps for the same.

Step 1 - Select Confidential Compute VM Deployment

Log in to Azure Portal and search for Confidential Compute VM Deployment in the Market Place.

Confidential Computing For Azure Virtual Machines

Click Confidential Compute VM Deployment in the search result. Then, click on the "Create" button.

Confidential Computing For Azure Virtual Machines
 
Step 2 - Configure basic settings

Select image as Windows Server 2016 Datacenter. Currently, Windows Server 2016 Datacenter and Ubuntu Server 16.04 LTS are supported.

Confidential Computing For Azure Virtual Machines

Provide information to configure settings like Virtual Machine Name , Username, Password, Subscription, Resource Group details, Location. Click the OK button.

Confidential Computing For Azure Virtual Machines
 
Step 3 - Select supported Virtual Machine size

Select a VM size as Standard_DC2s or Standard_DC4s. Select Storage, network and other needed settings and click on OK button.

Confidential Computing For Azure Virtual Machines
 
Step 4 - Review request summary and create Virtual Machine

Click on the "Create" button to spin up a Virtual Machine with Confidential Computing enabled.

Confidential Computing For Azure Virtual Machines
 

Winding up

Confidential Compute enabled Virtual Machines are used to protect the data in use. Open Enclave SDK can be used to build applications that are capable of running on Confidential Compute Virtual Machines. Such applications are termed as enclave applications and run inside Trusted Execution Environment to make sure that the data in use is well protected.