Azure  

Secure Sensitive Cloud Data with Azure Confidential & C#

1. Introduction

In today’s fast-paced, data-driven world, organizations across various industries are rapidly adopting cloud computing to leverage its scalability, agility, and cost-effectiveness. Businesses store and process enormous volumes of data in the cloud, ranging from customer records and financial transactions to intellectual property and mission-critical analytics. However, as workloads move to shared cloud environments, ensuring the confidentiality and integrity of sensitive data becomes an even greater challenge.

While traditional security measures such as encryption at rest (to protect data on disk) and encryption in transit (to secure data moving over networks) are now widely adopted, they leave a critical gap: data in use. During processing, data is typically decrypted and loaded into memory, exposing it to potential threats from malicious insiders, compromised hosts, or other tenants sharing the same infrastructure.

Azure Confidential Computing (ACC) addresses this gap by leveraging cutting-edge hardware-based Trusted Execution Environments (TEEs) to protect data even while it is being processed. TEEs isolate sensitive workloads from the host operating system, hypervisor, and other cloud tenants, ensuring that your data and code remain private and tamper-resistant.

By enabling the secure processing of sensitive information in the cloud, Azure Confidential Computing empowers organizations to comply with stringent regulatory requirements, foster trust among stakeholders, and innovate in areas previously deemed too risky for the cloud, such as healthcare analytics, secure AI/ML workloads, and multi-party data collaborations.

In this article, we will explore how Azure Confidential Computing works, its key components, real-world use cases, and how you can build confidential applications using C# examples to take full advantage of this powerful technology.

2. What is Azure Confidential Computing?

Azure Confidential Computing is a set of technologies that protects data while in use by isolating workloads in hardware-based Trusted Execution Environments (TEEs), also known as enclaves.

Traditionally, data is protected at rest (e.g., with disk encryption) and in transit (e.g., with TLS/SSL). However, during processing, data is usually unencrypted and potentially exposed to malicious actors or compromised infrastructure.

ACC fills this gap by ensuring data-in-use protection, enabling organizations to run sensitive workloads securely in the cloud.

3. Key Components of Azure Confidential Computing

3.1 Confidential Virtual Machines (VMs)

  • Azure’s solution for running sensitive workloads in hardware-based Trusted Execution Environments (TEEs).
  • Based on AMD SEV-SNP technology that encrypts the entire VM’s memory.
  • Protects against threats from the hypervisor, host OS, and other tenants.
  • Ideal for use cases like.
  • Secure financial transactions.
  • Healthcare and patient data analytics.
  • Intellectual property or proprietary algorithms.
  • Simple to deploy and operate, just like standard Azure VMs.
  • Provides data-in-use protection without significant changes to existing applications.

3.2 Confidential Containers

  • Enable confidential computing for containerized workloads.
  • Run on Azure Kubernetes Service (AKS) or similar orchestrators.
  • Leverage hardware-based TEEs (e.g., AMD SEV-SNP, Intel TDX) to protect data-in-use at the container level.
  • Encrypts container memory and isolates it from other processes.
    • Host operating system.
    • Other containers running on the same node.
  • Allow running sensitive workloads without changing application code.
  • Ideal for scenarios like:
    • Processing regulated or private data in containers.
    • Secure collaboration between untrusted parties.
    • Privacy-Preserving AI/ML Model Training and Inference.
    • Combine cloud-native scalability and flexibility with strong security guarantees.

3.3. Confidential Applications with Enclaves

  • Provide application-level data-in-use protection by running sensitive code in secure enclaves.
  • Enclaves are isolated memory regions created by hardware TEEs (e.g., Intel SGX).
  • Prevent the host OS, hypervisor, or other processes from accessing enclave data.
  • Allow developers to,
    • Isolate specific business logic or computations in the enclave.
    • Keep non-sensitive parts of the app running outside the enclave for efficiency.
  • Ideal for use cases such as,
    • Privacy-preserving analytics and secure multiparty computation.
    • Protecting intellectual property or proprietary algorithms in shared environments.
    • Ensuring that even cloud providers cannot access sensitive processing.
  • Enable strong security with minimal changes to existing applications by focusing on sensitive components.

4. Why Use Azure Confidential Computing?

  • Protects sensitive data while in use, not just at rest or in transit.
  • Ensures data and workloads remain confidential, even from,
    • The cloud provider’s administrators.
    • The host operating system and hypervisor.
    • Other tenants are on the same hardware.
  • Enables businesses to confidently move regulated or high-value workloads to the cloud.
  • Helps meet stringent compliance and privacy requirements (e.g., GDPR, HIPAA, PCI DSS).
  • Facilitates secure multi-party collaboration by allowing untrusted parties to jointly compute over shared data without exposing it to unauthorized access.
  • Protects intellectual property, proprietary algorithms, and sensitive business logic from unauthorized access.
  • Enables privacy-preserving AI/ML workloads and analytics on confidential datasets.
  • Builds trust in cloud computing for industries like healthcare, finance, government, and defense.

5. Developing a Confidential Application in Azure with C#

A .NET Core C# application that runs inside an Azure Confidential VM and processes encrypted data securely. We’ll walk through.

  • Deploying a Confidential VM.
  • Writing a C# app that detects the TEE environment.
  • Encrypting sensitive data before processing.

Step 1. Deploy an Azure Confidential VM

You can create a confidential VM with the Azure CLI.

az vm create \
  --resource-group myResourceGroup \
  --name myConfidentialVM \
  --image Canonical:0001-com-ubuntu-confidential-vm-focal:20_04-lts-cvm:latest \
  --size Standard_DC2as_v5 \
  --security-type ConfidentialVM \
  --admin-username azureuser \
  --generate-ssh-keys

This creates a Linux-based confidential VM using AMD SEV-SNP. You can then install the .NET SDK and deploy your C# application.

Step 2. Write a C# Application to Detect the TEE

To ensure your application is running inside a confidential VM, you can query the TEE attestation report. Here’s a sample using C# and the Azure Attestation SDK.

Install SDK 

dotnet add package Azure.Security.Attestation
dotnet add package Azure.Identity

Code Example: Validate the TEE environment.

using System;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Security.Attestation;

class Program
{
    static async Task Main(string[] args)
    {
        var endpoint = new Uri("https://<your-attestation-instance>.attest.azure.net");
        var client = new AttestationClient(endpoint, new DefaultAzureCredential());
        var result = await client.GetOpenIdMetadataAsync();
        Console.WriteLine("Attestation Service Metadata:");
        Console.WriteLine($"Issuer: {result.Value.Issuer}");
        Console.WriteLine($"JWKS URI: {result.Value.JsonWebKeySetUri}");
        // Additional logic to validate VM TEE report goes here.
    }
}

You can then validate that the VM has SEV-SNP enabled and meets the required policy.

Step 3. Securely Process Encrypted Data

One of the key benefits of ACC is that it operates on data that remains encrypted even during computation. Here’s an example of decrypting and processing data securely inside the TEE.

Encrypt Data Outside the VM

On the client side

// Send encrypted, key, and iv securely to the VM.

using System.Security.Cryptography;
using System.Text;

// Encrypt data with AES
string plainText = "Sensitive customer data";
byte[] key = RandomNumberGenerator.GetBytes(32); // AES-256 key
byte[] iv = RandomNumberGenerator.GetBytes(16);

using Aes aes = Aes.Create();
aes.Key = key;
aes.IV = iv;

ICryptoTransform encryptor = aes.CreateEncryptor();
byte[] encrypted = encryptor.TransformFinalBlock(
    Encoding.UTF8.GetBytes(plainText), 0, plainText.Length);

Decrypt and Process Data Inside the VM

Inside the confidential VM

// This ensures that plaintext data only exists inside the TEE-protected VM memory.

using System.Security.Cryptography;
using System.Text;

byte[] encrypted = /* received encrypted data */;
byte[] key = /* received securely */;
byte[] iv = /* received securely */;

using Aes aes = Aes.Create();
aes.Key = key;
aes.IV = iv;

ICryptoTransform decryptor = aes.CreateDecryptor();
byte[] decryptedBytes = decryptor.TransformFinalBlock(encrypted, 0, encrypted.Length);
string decryptedText = Encoding.UTF8.GetString(decryptedBytes);

Console.WriteLine($"Decrypted data: {decryptedText}");

6. Example Use Cases

  • AI/ML Workloads: Perform privacy-preserving model inference and training on sensitive datasets securely.
  • Intellectual Property Protection: Protect proprietary algorithms, business logic, or trade secrets from being accessed by others, even when hosted in the cloud.
  • Financial Services
    • Securely process sensitive transactions and trading data.
    • Run privacy-preserving analytics for fraud detection and risk modeling.
  • Healthcare & Life Sciences
    • Train and run AI/ML models on patient health records while preserving patient privacy.
    • Secure clinical trial data processing.
  • Government & Defense
    • Process classified or mission-critical information securely in the cloud.
    • Enable secure cloud-based communication and analytics.
  • Multi-Party Collaboration: Joint analysis of shared data sets (e.g., fraud detection, supply chain management) without exposing private data to others.

7. Best Practices for Azure Confidential Computing

  • Use attestation before processing data: Verify that the TEE (enclave or confidential VM) is genuine and compliant with your security policies.
  • Minimize the Trusted Computing Base (TCB)
    • Run only the most sensitive logic and data inside the enclave or TEE.
    • Keep non-sensitive parts of the application outside to reduce complexity and overhead.
  • Encrypt data before transmitting to the cloud: Protect data end-to-end by ensuring it is only decrypted within the TEE.
  • Regularly patch and update: Keep Azure resources, firmware, and your applications up to date to benefit from the latest TEE security features.
  • Design for resilience: Build fault-tolerant applications that gracefully handle attestation failures or TEE disruptions.
  • Monitor and audit: Enable logging and monitoring of attestation events and workload behavior for compliance and troubleshooting.
  • Test and validate: Regularly test your application’s TEE workflows and security assumptions as part of your DevSecOps pipeline.

8. Conclusion

As organizations continue to embrace the cloud for its unmatched scalability and flexibility, securing sensitive data throughout its entire lifecycle, including during processing, has become paramount. Azure Confidential Computing fills this critical gap by ensuring that data remains protected even while in use, leveraging advanced hardware-based Trusted Execution Environments to isolate and safeguard workloads. By adopting this technology, businesses can unlock new opportunities to handle sensitive workloads in the cloud with confidence, meet rigorous compliance demands, and enable secure collaboration and innovation across industries. As we delve into the workings, components, and practical C# examples of Azure Confidential Computing in this article, you will gain the knowledge and tools needed to build secure, confidential applications that fully realize the promise of trusted cloud computing.

Membership not found