Security is a key driver accelerating the adoption of cloud computing, but it’s also a major concern when you’re moving extremely sensitive IP and data scenarios to the cloud.
There are ways to secure data at rest and in transit, but you need to protect your data from threats as it’s being processed. Now you can. Confidential computing adds new data security capabilities using trusted execution environments (TEEs) or encryption mechanisms to protect your data while in use.
TEEs are hardware or software implementations that safeguard data being processed from access outside the TEE. The hardware provides a protected container by securing a portion of the processor and memory. Only authorised code is permitted to run and to access data, so code and data are protected against viewing and modification from outside of TEE.
Last month, Microsoft announced that confidential computing will be coming to Kubernetes workloads.
Confidential computing with Azure
Azure is the first major cloud platform to support confidential computing, building on Intel SGX. Last year, we announced the preview of the DC-series of virtual machines that run on Intel Xeon processors, which are confidential computing ready.
This also provides an additional layer of protection from potentially malicious insiders at a cloud provider, minimises the risk of data leaks and may even address some regulatory compliance needs.
Confidential computing enables several previously not possible use-cases. For example, customers in regulated industries can now collaborate together using sensitive partner or customer data to detect fraud scenarios, without giving the other party visibility into that data.
How it works for Kubernetes
You can now get this additional layer of data protection for your Kubernetes workloads with the code running on the CPU with secure hardware enclaves. This can be done in just a few steps:
- Use the open enclave SDK for confidential computing in code.
- Create a Kubernetes cluster on hardware that supports Intel SGX, such as the DC-series virtual machines running Ubuntu 16.04 or Ubuntu 18.04.
- Install the confidential computing device plugin into those virtual machines.
Kubernetes users can then schedule pods and containers that use the Open Enclave SDK onto hardware which support TEEs. The Open Enclave SDK was recently open sourced by Microsoft and made available to the Confidential Computing Consortium under the Linux Foundation for standardisation.