How does Azure Confidential Computing work?

Microsoft has a unique offering on a (relatively) new technology in Azure to protect and encrypt data in use, called Azure Confidential Computing. If you are moving sensitive data to the cloud, you also want to encrypt it. Traditionally, you can do this for data in transit and data at rest, however, data in use is a challenge. Azure Confidential Computing addresses exactly that scenario and helps you to encrypt data in use, making your data as well as code opaque even to the environment (virtual machine and hosting provider).

You can now move your existing workloads to Azure and make them confidential without changing any code. With AMD EYPC 3rd Gen technology the contents of entire virtual machines are opaque to cloud administrators for secure and isolated computation. Microsoft’s trusted launch feature measures the integrity of the confidential vm. The runtime state of these VMs is fully encrypted, protecting your data even when it’s in use. The keys used for this RAM encryption are generated inside the CPU and never leave it.

The ability to bring in already encrypted disk image to azure using customer-managed keys also adds a further layer of isolation. In this scenario, customer can prepare their disk image in their local environment using their own keys and then uploads the image to azure and these keys can then be uploaded to azure managed HSM which has single-tenant FIPS level three compliance if you need it.

Azure provides additional protection services beyond hardware protection including trusted launch. Trusted launch measures the integrity of the confidential virtual machine at every boot and helps protect it from boot kits, root kits and kernel level malware. Secure Boot works to ensure that only signed operating systems and drivers can boot. It establishes a “root of trust” for the software stack on your VM.

What are some common use cases for confidential computing?

Prevention of fraud and waste, anti-corruption, anti-terrorism, records and evidence management, intelligence analysis, global weapons systems, and logistics management, vulnerable population protection (including child exploitation, human trafficking, etc.), anti-money laundering, digital currencies, blockchain, transaction processing, customer analytics, proprietary analytics/algorithm, disease diagnostics, drug development, and contact tracing.

Different use cases for confidential computing: Common Azure confidential computing scenarios and use cases

What are some of the options available to confidentially compute today?

Use confidential containers, write enclave-aware applications with the Open Enclave SDK, utilize a third-party solution to run workloads, or deploy the latest virtual machine from Azure with Intel SGX-enabled hardware.

Considerations

Azure confidential computing virtual machines (VMs) are available in 2nd-generation D family sizes for general purpose needs. These sizes are known collectively as D-Series v2 or DCsv2 series. This scenario uses Intel SGX-enabled DCs_v2-series virtual machines with Gen2 operating system (OS) images. But you can only deploy certain sizes in certain regions. For more information, see Quickstart: Deploy an Azure Confidential Computing VM in the Marketplace and Products available by region.

Microsoft Announcement

As part of our commitment to delivering the best possible value for Azure customers, we are announcing a price reduction on DCsv2-series Azure Virtual Machines by 37%. The new pricing is effective June 1st, 2021, and applies to all the regions where DCsv2-series is available.

DCsv2-series protects the confidentiality and integrity of your data and code while it’s processed in the public cloud. To learn more, visit Confidential Computing webpage.

Official announcement : General availability: Confidential Computing price reduction on DCsv2 virtual machines