Dina Bass, Bloomberg, 15 September 2017
- Azure confidential computing encrypts data while it is in use
- The product works by placing customer information in a virtual enclave
- Microsoft is working with Intel on the new product
Microsoft, working with chipmaker Intel, is offering a cloud-computing service with more powerful encryption to secure data from hackers – and protect it from secret government data-gathering.
Called Azure confidential computing, the technology encrypts data while it is in use – which is when most security breaches occur, according to Azure Chief Technology Officer Mark Russinovich. The new product works by placing customer information in a virtual enclave, essentially a black box that keeps anyone outside the customer – including Microsoft itself – from accessing the data. That can keep cyberthieves, malicious insiders and governments from getting in without customer authorization.
The new service also means that Microsoft won't have the capability to turn over data in response to government warrants and subpoenas, an issue at the heart of a current Microsoft lawsuit against the US government fighting the requirement to turn over client data, sometimes without the customer's knowledge.
The confidential computing service is intended to reassure customers that are considering moving data and applications to Microsoft's cloud that the switch will not open them up to hacks, spying and secret subpoenas. While many companies worldwide have grown more willing to move even sensitive data to internet-based computing in the past few years, some unease about security and privacy persists.
"They can be sure that they can't do any better than this on their own premises," Russinovich said. "This data is completely protected from us and from any attackers."
Azure confidential computing, which enters a preview phase with initial customers Thursday, will offer two ways to create these secure enclaves. One is based on Microsoft's own server software, while the other uses Intel chips with that company's built-in security features. Intel unveiled this sort of data-enclave capability for desktop machines in 2015 but hadn't planned to offer it for the servers that underpin cloud networks for several years. Russinovich persuaded the chipmaker to speed that up, said Rick Echevarria, an Intel vice president and general manager of the platform security division. The Intel technology isn't exclusive to Microsoft and will be sold to other customers.
Customers remain on edge about network security after massive and damaging high-profile attacks on companies like online portal Yahoo, retailer Target, entertainment conglomerate Sony, the Democratic National Committee and most recently credit-reporting company Equifax, whose recent breach put the personal data of as much as half of the US population at risk. Those companies were storing the data on their own networks rather than with the big cloud providers such as Microsoft, Alphabet's Google and market leader Amazon.com.
Between customer needs and the ever-evolving skills of hackers seeking to penetrate networks, Microsoft and its rivals have been rushing to add layers of security.
Google has been working on its own chips, called Titan, that offer a different type of security against hackers in cloud networks. That effort makes sure that when machines boot up, every piece of Google software is valid and hasn't been tampered with.
Intel and Microsoft will also probably take the new technology to the server computers that companies use in their own data centers, referred to as on-premise computing, Intel's Echevarria said. Hacks like Equifax make that a critical need.
"As a cyber-secuity professional, it's very tough to read the news every morning," he said.
© 2017 Bloomberg L.P.