Confidential computing with Microsoft Azure components

Transcript

1. Confidential Computing with Azure Jan Moser Lead Consultant @ NFQ

   Solutions

2. NFQ Technologies | Scaling Business → 25 years in the

   software industry (I coded with .NET 1.0 on Windows XP ;) ) → ISAQB certified instructor and certified Azure Solution Architecture and Cybersecurity expert → Member of the DevOpsDays Zurich organization committee → Enthusiast for all kinds tech, software (-architecture and -development), DevOps, Thought-leadership and much more About me https://www.linkedin.com/in/ moserjan/

3. 01 The Problem

4. NFQ Technologies | Scaling Business

5. NFQ Technologies | Scaling Business → Modern applications are often

   revolving around data (presentation, modification) → This data is an inherent value asset in modern tech companies. → Hence malicious parties are interested in reading this data or even worse try to tamper or erase it. → To ensure business continuity and market advantage we need to protect this asset as good as possible. Our data is valuable…very valuable…

6. NFQ Technologies | Scaling Business → To protect their data,

   engineers came up with the so- called triangle of data protection → Data should be encrypted and thus inaccessible for unauthorized access at rest, in transit and in use → While establishing encryption at rest and in transit is since many years a well adopted standard, it was until now very complicated to protect data in use in a safe yet performant manner The triangle of data protection

7. 02 The Solution

8. NFQ Technologies | Scaling Business → To protect data also

   in use, hardware providers produced a construct called Trusted Execution Environment (TEE) → Those TEEs operate on hardware level and create an environment with secure compute and memory capabilities that cannot be read out or tampered with from even the underlying OS or Hypervisor (which is called Rich Execution Environment (REE)) → Most popular application for such TEEs today are e.g. ApplePay or GooglePay which use a TEE for terminal communication, or in certain biometric access systems. TEEs to the rescue

9. NFQ Technologies | Scaling Business Trusted Computing Base (TCB)

10. NFQ Technologies | Scaling Business Different Types of CPU-TEEs

11. NFQ Technologies | Scaling Business Confidential Hello World

12. NFQ Technologies | Scaling Business Attestation

13. 03 Azure Confidential Computing

14. NFQ Technologies | Scaling Business Azure confidential computing services

15. NFQ Technologies | Scaling Business → Microsoft Azure Attestation Service

    (MAAS) is the core of the confidential platform on Azure. It can attest various TEEs and apply additional policies → All confidential workloads use the MAAS (or alternatively your own Attestation Service) to verify that workloads are running on genuine confidential machines. → The MAAS as per today is free of cost → You can also implement your own attestation service Azure Attestation Service

16. NFQ Technologies | Scaling Business → Confidential VMs offer a

    hardware-based isolation of the whole VM → They support guest attestation and also offer a vTPM (virtual Trust Platform Module) to handle the initial secure keys for attestation and startup. → You normally do not have to update your workload or code and can “just” upgrade to a CVM compatible image. → As everything runs in a CVM, the max security level you get is the VM itself Azure Confidential VMs

17. NFQ Technologies | Scaling Business Azure Confidential-VM vTPM

18. NFQ Technologies | Scaling Business → These VMs offer a

    chipset (Intel SGX) that supports application enclaves → To benefit of this feature, you need to (re)write your code to make usage of the app enclave features. → This offers a fine granular control over how many enclaves you build, what to process in what enclave etc. but you need to take care of the encrypted memory and application runtime yourself. → Only SGX enabled OS can be used for those VMs Azure VMs with App Enclaves

19. NFQ Technologies | Scaling Business → Azure offers 2 variants

    of confidential workloads. → Confidential worker-nodes are practically CVM nodepools in an AKS cluster. → An AKS operator here attests in case of horizontal scaling the integrity of added nodes. → As an alternative you can deploy SGX enclave worker- nodes, where you handle the application enclave yourself in the code. Azure Confidential AKS nodes

20. NFQ Technologies | Scaling Business → Azure confidential containers abstract

    the container environment from the underlying host. → Attestation is here done via a sidecar pattern. → The protection is per container group → In AKS the container protection is per pod and and is implemented via the open source confidential containers project. Azure Confidential Containers

21. NFQ Technologies | Scaling Business Azure Confidential Ledger → The

    confidential Ledger is basically a poor man’s Blockchain → It creates a small consortium of min. 3 secure VM nodes and acts like a blockchain to validate Data against a hard to tamper ledger chain. → Like a real blockchain it uses Merkle-Trees and hashes to create a hard to tamper environment

22. 03 Caveats

23. NFQ Technologies | Scaling Business → CVM are usually 100-350%

    slower in startup than normal VMs → In general, their overall performance is 5-15% lower than a normal VM → The severe performance degradations happen when the host CPU is under heavy load, then performance- drops of up to 60% can happen in I/O operations. → Frequent context switches and synchronization heavy tasks have the most severe impacts on the CVM performance Performance

24. NFQ Technologies | Scaling Business → Whereas TEEs are usually

    very secure they are not unbreachable → TEEs are usually hosting code…if you produce code smell or vulnerabilities, the best TEE cannot prevent incidents. → As per 01.04.2025 there are 49 CVEs related to AMD SEV(-ES/SNP) and 9 CVEs related to Intel TDX → 39% of those are related to improper attestation validation. → As of now, Intel and AMD have integrated protection against Meltdown attacks. → Per se, Enclaves are secure from Spectre, unless you bring in Gadgets into the system. Intel offers a Guide how to harden a secure enclave app Security

25. NFQ Technologies | Scaling Business → In my research the

    confidential VM types were 10-20% more expensive than their regular counterparts → Intel SGX and AMD VMs are available in Switzerland North and West → Nvidia confidential GPU machines and Intel TDX not yet. Pricing and Availability

26. NFQ Technologies | Scaling Business NFQ Solutions https://nfq-solutions.de/ Azure Confidential

    Computing Page https://azure.microsoft.com/en-us/solutions/confidential-compute Azure Confidential Computing Blog https://techcommunity.microsoft.com/category/azure/blog/azureconfidentialcomputingblog OpenEnclave SDK https://github.com/openenclave/openenclave Confidential Containers https://github.com/confidential-containers Azure Confidential Computing Learn Space https://learn.microsoft.com/en-us/azure/confidential-computing/ SCONE (Confidential Computing Framework on Intel SGX) https://sconedocs.github.io/ Scientific paper about CVMs and their performance https://dse.in.tum.de/wp-content/uploads/2024/11/sigmetrics25summer-CVM- Explained.pdf Enclave App Secure Development Guide https://www.intel.com/content/dam/develop/external/us/en/documents/180204-sgx-sdk- developer-guidance-v1-0.pdf Links Links Links

27. Q&A

28. SCALING BUSINESS SCALING BUSINESS