One of the biggest challenges facing any enterprise using the public cloud is the fact that it’s public. Yes, your applications run in isolated virtual machines and your data sits in its own virtual storage appliances, but there’s still a risk of data exposure. In a multitenant environment, you can’t be certain that memory is freed up safely, so that your data isn’t leaking across the boundaries between your systems and others.
That’s why businesses keep close watch on their regulatory compliance, and often keep sensitive data on premises. That allows them to feel sure that they’re managing personally identifiable information securely (or at least in private), along with any data that is subject to regulations.
However, keeping data on-prem means not taking advantage of the cloud’s scalability or global reach. As a result, you’re working with isolated islands of information, where you can’t develop deeper insights or where you’re forced to regularly download data from the cloud to build smaller local models.
Economically that’s a problem, because egress charges for cloud-hosted data can be expensive. And that’s before you’ve invested in MPLS links to your cloud provider to ensure you have private, low-latency connectivity. There’s an additional issue, because now you will need a larger security organization to keep that data safe.
How can you be confident in the security of your cloud-hosted data when you don’t have access to the same level of monitoring, or threat intelligence, or security experience as the cloud providers? If we look at modern silicon, it turns out there is a middle way, confidential computing.
Confidential computing advances
I wrote about how Microsoft used Intel’s secure extensions to its processor instruction sets to provide a foundation for confidential computing in Azure a few years ago. In the years since, the confidential computing market has taken a few steps forward.
The initial implementations allowed you to work only with a chunk of encrypted memory, ensuring that even if VM isolation failed, that chunk of memory could not be read by another VM. Today you can encrypt the entire working memory of a VM or hosted service. Also, you now have a broader choice of silicon hardware, with support from AMD and Arm.
Another important development is that Nvidia has added confidential computing features to its GPUs. This allows you to build machine learning models using confidential data, as well as protecting the data used for mathematical modeling. Using GPUs at scale allows us to treat the cloud as a supercomputer, and adding confidential computing capabilities to those GPUs allows clouds to partition and share that compute capability more efficiently.
Simplifying confidential computing on Azure
Microsoft Azure’s confidential computing capabilities are evolving right along with the hardware. Azure’s confidential computing platform began life as a way of providing protected, encrypted memory for data. With the latest updates, which Microsoft announced at Ignite 2023, it now provides protected environments for VMs, containers, and GPUs. And there’s no need to write specialized code; instead you can now encapsulate your code and data in a secure, isolated, and encrypted space.
This approach lets you use the same applications on both regulated and unregulated data, simply targeting the appropriate VM hosts. There’s a bonus in that the use of confidential VMs and containers allows you to lift and shift on-premises applications to the cloud, while maintaining regulatory compliance.
Azure confidential VMs with Intel TDX
The new Azure confidential VMs run on the latest Xeon processors, using Intel’s Trust Domain Extensions. With TDX there’s support for using attestation techniques to ensure the integrity of your confidential VMs, as well as tools to manage keys. You can manage your own keys or use the underlying platform. There’s plenty of OS support too, with Windows Server (and desktop options) as well as initial Linux support from Ubuntu, with Red Hat and Suse to come.
Microsoft is starting to roll out a preview of these new confidential VMs, across one European and two US Azure regions, with a second Europe region arriving in early 2024. There’s plenty of memory and CPU in these new VMs, as they’re intended for hefty workloads, especially where you need a lot of memory.
Azure confidential VMs with GPU support
Adding GPU support to confidential VMs is a big change, as it expands the available compute capabilities. Microsoft’s implementation is based on Nvidia H100 GPUs, which are commonly used to train, tune, and run various AI models including computer vision and language processing. The confidential VMs allow you to use private information as a training set, for example training a product evaluation model on prototype components before a public unveiling, or working with medical data, training a diagnostic tool on X-ray or other medical imagery.
Instead of embedding a GPU in a VM, and then encrypting the whole VM, Azure keeps the encrypted GPU separate from your confidential computing instance, using encrypted messaging to link the two. Both operate in their own trusted execution environments (TEE), ensuring that your data remains secure.
Conceptually this is no different from using an external GPU over Thunderbolt or another PCI bus. Microsoft can allocate GPU resources as needed, with the GPU TEE ensuring that its dedicated memory and configuration are secured. You’re able to use Azure to get a security attestation in advance of releasing confidential data to the secure GPU, further reducing the risk of compromise.
Confidential containers on Kubernetes
More confidential computing tools are moving into Microsoft’s managed Kubernetes service, Azure Kubernetes Service, with support for confidential containers. Unlike a full VM, these run inside host servers, and they’re built on top of AMD’s hardware-based confidential computing extensions. AKS’s confidential containers are an implementation of the open-source Kata containers, using Kata’s utility VMs (UVMs) to host secure pods.
You run confidential containers in these UVMs, allowing the same AKS host to support both secure and insecure containers, accessing hardware support through the underlying Azure hypervisor. Again, like the confidential VMs, these confidential containers can host existing workloads, bringing in existing Linux containers.
These latest updates to Azure’s confidential computing capabilities remove the roadblocks to bringing existing regulated workloads to the cloud, providing a new on-ramp to delivering scalable and burst use of secure computing environments. Yes, there are additional configuration and management steps around key management and ensuring that your VMs and containers have been attested, but those are things you should do when working with sensitive information on-premises as well as in the cloud.
Confidential computing needs to be seen as essential when we’re working with sensitive and regulated information. By adding these features to Azure, and by supporting the features in the underlying silicon, Microsoft is making the cloud a more attractive option for both health and finance companies.