Azure and AMD announce landmark in confidential computing evolution

Mark Russinovich Chief Technology Officer and Technical Fellow, Microsoft Azure

The pandemic has accelerated digital transformation globally and the scalability and security advantages offered by Microsoft Azure have helped many customers move forward. One key tenet we have in Azure is that your data is your data.

In Azure, we take your data security seriously and have built numerous controls around data at rest and data at flight. As a founding member of the Confidential Computing Consortium, we are also an innovator in confidential computing which extends those protections to data running on the processor itself. For more than 3 years financial services, governments, health care providers, and even messaging companies have been using Azure confidential computing to unlock new scenarios like multi-party machine learning and move their more sensitive applications to the cloud.

Today, I am announcing that we are further broadening the confidential computing options available to Azure customers through our technology partnership with AMD, specifically by being the first major cloud provider to offer confidential virtual machines on the new AMD EPYC™ 7003 series processors. This new approach complements existing Azure confidential computing solutions such as confidential containers for Azure Kubernetes Service and opens the possibility to create new confidential applications without requiring code modifications which in turn substantially simplifies the process of creating confidential applications.

Key technology enablers to the AMD-centered solution include the advanced security feature called Secure Encrypted Virtualization-Secure Nested Paging, or SEV-SNP. SEV-SNP enables protection of virtual machines by creating a trusted execution environment and has been substantially enhanced in the 3rd Gen AMD EPYC processor.

These AMD EPYC-CPU powered Azure VMs are fully encrypted at runtime, fulfilling the promise of confidential computing by protecting your data even when it is in use. The encryption keys used for VM encryption are generated, and safeguarded, by a dedicated secure processor on the EPYC CPU. This helps ensure that no one, even cloud administrators—and by extension the workloads, apps, or data in the VMs—have access to these encryption keys.

Beyond the hardware, Azure provides a set of important services, including the Azure Attestation service and trusted launch, to further help our customers. The Azure Attestation service collects evidence that the hardware environment is correct and then provides a cryptographic signal to Azure Key Vault to securely release the decryption key for the virtual machine image only if the environment is in a known good state. Subsequently, the decrypted virtual machine boot process is subjected to trusted launch to defend against bootkits, rootkits, and kernel-level malware. In this step, trusted launch measures the integrity of the virtual machine image against information stored in the vTPM before continuing boot processes.

Customers can also bring a fully encrypted disk image to Azure, ensuring that the image is never available in plain text to the Azure environment. In this scenario, the customer prepares the disk image in their local environment using their own keys and then uploads the image to Azure while placing the keys in Azure’s single tenant FIPS level 3 compliance managed HSM.

In summary

With the 3rd Gen AMD EPYC CPU-backed confidential computing VMs, Azure confidential computing now enables customers to encrypt entire VMs confidentially, enable confidentiality without recompiling code, and benefit from a host of Azure-specific enhancements. Today you can deliver confidential workloads on Azure with the broadest choice of hardware as well as resources spanning virtual machines, containers, SQL, and beyond.