maxkabakov - Fotolia

Azure confidential computing, AWS aim to better secure cloud data

Microsoft's confidential computing for Kubernetes and AWS' upcoming Nitro Enclaves both aim to give IT pros ways to create isolated compute environments for sensitive data.

When Microsoft introduced confidential computing for Kubernetes users last month, it also opened up a new realm of competition as AWS quickly followed suit.

Microsoft delivered a trusted execution environment to Kubernetes through the Open Enclave SDK and the Open Enclave Kubernetes device plugin during the KubeCon 2019 conference in November. AWS then made its first play in the confidential computing space with Nitro Enclaves, introduced at the AWS re:Invent conference early in December.

"Historically, Azure has been the only cloud provider that has focused on confidential computing to ensure that workloads can run without even Azure/Microsoft being able to inspect them," said Scott Piper, an AWS security consultant in Salt Lake City.

AWS has held a stronger position -- in terms of business policy -- than Microsoft on not inspecting customer workloads at all, he noted.

"By this, I mean that Microsoft has had more ways of monitoring systems -- via agents -- that give greater insight into the workloads," Piper said. "AWS is fairly immature with respect to the agents you can install."

Confidential computing enables encrypted data to be processed in memory without exposing it to the rest of the system. The Open Enclave SDK is a development kit for programmers to create secure enclaves. These enclaves bring software and hardware together to create isolated execution environments that secure data running in the environment.

Microsoft's Open Enclave Kubernetes device plugin enables Kubernetes application developers everywhere to use hardware-backed secure execution environments to ensure that their processes and data are secure, even during execution. This enables application developers to schedule confidential applications for machine learning, blockchain and multiparty computation on Kubernetes.

"New confidential computing technologies are game-changing as they provide data protection, even when the code is running on the CPU, with secure hardware enclaves," said Lachlan Evenson, a principal program manager for Microsoft's Azure container compute, in a blog post.

AWS' Nitro Enclave, which is not yet in preview, creates a secure environment using Nitro Hypervisor technology that creates the CPU and memory isolation among Elastic Compute Cloud instances, to isolate the Enclave and EC2 instances. Enclaves are isolated virtual machines that do not use persistent storage and use secure local connectivity, according to AWS. In addition, there is no operator or admin access.

Working with the Linux Foundation

Microsoft released these efforts to enable trusted execution environments under the auspices of the Linux Foundation. Trusted execution environments or "enclaves" are hardware-backed secure execution environments that can ensure processes and their memory are secure while they execute, said Brendan Burns, a Microsoft distinguished engineer working on the Azure cloud platform, in a blog post.

Evenson said Azure is the first major cloud platform to support confidential computing on Intel Software Guard Extensions, also known as Intel SGX.

Andrew Brust, CEO, Blue Badge InsightsAndrew Brust

Moreover, Microsoft's commitment to secure enclaves -- both in SQL Server and now Kubernetes -- is significant, said Andrew Brust, CEO of Blue Badge Insights, an IT consulting firm in New York. "Extending data-protected scenarios beyond data-at-rest and data-in-motion, to actual execution, will increase confidence in cloud computing overall and in analytics and machine learning scenarios in particular."

In addition, as questions of data protection regulations, data governance and AI ethics cross into the mainstream, the industry needs solutions like Open Enclave SDK, Brust said.

For example, with confidential computing and Kubernetes, pharmaceutical companies can pull together data, such as medical data; run analytics on that data; gain new insights; and potentially develop new drugs, all while retaining privacy -- which is a big concern to the healthcare industry, said Gabe Monroy, partner program manager for Azure compute at Microsoft.

"What's unique about what we're doing with confidential computing is we're actually pulling the security all the way down to the chip," Monroy said. "And that is just a totally different approach."

Confidential Computing Consortium

Earlier this year, Microsoft joined up with Intel, IBM, Google, Red Hat and others with support from the Linux Foundation to form the Confidential Computing Consortium to provide security for data in use to secure data end-to-end from the cloud to the edge. AWS is not listed as a consortium member.

Red Hat's contribution is Enarx, which provides a platform abstraction for Trusted Execution Environments to create and run private, serverless applications.

What's unique about what we're doing with confidential computing is we're actually pulling the security all the way down to the chip.
Gabe Monroy Partner program manager, Microsoft

Joining that effort and the move with Kubernetes indicate that Microsoft is comfortable collaborating with others in the open source community.

"We have the saying inside Microsoft that open source is a way to scale engineering efforts beyond the confines of what one organization can do," Monroy said

Microsoft contributing this technology to open source and making it available under the Linux Foundation is significant, Brust said.

"Having a consistent, secure execution environment for Kubernetes that needn't be proprietary to any one cloud provider allows the whole industry to move forward and lets government, businesses and consumers have confidence that data is being protected appropriately," he said.

Richard Campbell, an IT consultant and host of the .NET Rocks podcast, said this makes him think back to Bill Gates's 2002 Trustworthy Computing memo. At the time, he was talking about .NET, but that memo was a catalyst for Windows XP SP2, the Microsoft Security Response Center and more.

"Today, you see Bill's concept of end-to-end trustworthy computing writ large, although with a significant difference from the Microsoft of old: The security solutions are open source and cross-platform," Campbell said. "Besides these latest efforts around Kubernetes and Open Enclave, I've been watching Azure Sphere. Microsoft's approach of secure end-to-end IoT is impressive, including secure hardware, Microsoft's own build of Linux, secure cloud interfaces and more."

Dig Deeper on Software design and development

Cloud Computing
App Architecture