The rapid adoption of Azure globally has resulted in a need to provide strong security assurances to customers on the state of their workloads and Azure’s ability to protect their data. Azure confidential computing offers a state-of-the-art hardware, software & services platform to protect sensitive customer data in-use while minimizing the Trusted Computing Base (TCB). Microsoft Azure Attestation reinforces the security promises made by cutting-edge security paradigms such as confidential computing.
Azure Attestation offers a simple PaaS experience to enable customers solve the complicated problem of gaining trust and verifying the identity of an environment before they interact with it. The ability to gain this trust allows customers to develop applications and create business models that require uncompromising trust where they were previously unable to create them -- in the cloud.
Azure Attestation is a unified solution that supports attestation of platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as Intel® Software Guard Extensions (SGX) enclaves and Virtualization-based Security (VBS) enclaves.
Azure Attestation receives evidence from an environment, validates it with Azure security standards and configurable user-defined policies, and produces cryptographic proofs (termed as attestation tokens) for claims-based applications. These tokens enable relying parties to gain confidence in trustworthiness of the environment, integrity of the software binaries running inside it and make trust-based decisions to release sensitive data to it. The tokens generated by Azure Attestation can be consumed by services in scenarios such as enclave validation, secure key sharing, confidential multi-party computation etc.
Azure Attestation provides the following benefits:
An attestation provider is a service endpoint of Azure Attestation that provides REST contract. You can choose to use the regional shared providers or create your own custom provider. Attestation provider comes with a default policy for each supported attestation type. Azure Attestation also lets you enforce custom rules in your custom provider via a configurable policy. If configured, an attestation policy is used to process the attestation evidence and determines whether the service shall issue an attestation token.
The following actors are involved in an Azure Attestation workflow:
Client: The component which collects evidence from an environment and sends attestation requests to Azure Attestation.
Azure Attestation: The component which accepts evidence from the client, validates it with Azure security standards, evaluated it against the configured policy and returns attestation token to the client.
Relying party: The component which relies on Azure Attestation for remotely attesting the state of an environment supported by TPM/enclave.
Consider a multi-party data sharing use-case where organizations (relying party) want to share data with its partners and achieve great insights by running inference models on the aggregated information. To protect data confidentiality while leveraging mutual benefits, data in-use can be encrypted and stored in TEEs like SGX enclaves. However before giving access to the encrypted content, organizations would like to validate trust worthiness of the enclave and then securely transfer secrets to the enclave. Azure Attestation enables in the remote verification process.
Below is the workflow example for confidential computing scenario based on Azure Attestation:
Creation and management of attestation providers can also be performed using Command Line Interface (CLI) or Azure PowerShell.
We are excited to multiple scenarios benefiting from Azure Attestation. Some of them include:
“Microsoft Azure Attestation is a key component of a solution for confidential computing provided by Always Encrypted with secure enclaves in Azure SQL Database. Azure Attestation allows database users and applications to attest secure enclaves inside Azure SQL Database are trustworthy and therefore can be confidently used to process queries on sensitive data stored in customer databases.”
- Joachim Hammer, Principal Group PM Manager, Azure SQL
Microsoft also works with platform partners who specialize in creating scalable software running on top of Azure confidential computing environments. The partners like Fortanix, Anjuna, and Scone have expressed great interest in leveraging the services offered by Azure Attestation.
Our long-term aspiration is partnering with people and organizations around the planet to help them achieve more, and more securely with Microsoft Azure Attestation. Azure Attestation will be the one Microsoft service that attests multiple platforms used by Azure customers such as Confidential Containers, Confidential VMs, IOT edge devices and more. We expect Azure Attestation to be the leading cloud service for customers to establish unconditional trust in infrastructure and runtime across Azure, on-prem and edge. It will drive the adoption of Microsoft services while strengthening customer data governance.
Learn more about Azure Attestation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.