Building and Executing Trusted Execution Environment (TEE) based applications on Azure

I would like to share with you the new guide “Building and Executing Trusted Execution Environment (TEE) based applications on Azure - A starter guide for developers“.

This guide is part of the dynamic of the recent announcement of the creation by Microsoft, and other industry partners, of the Confidential Computing Consortium, a new organization hosted at the Linux Foundation that will be dedicated to defining and accelerating the adoption of confidential computing.

This guide co-developed with Nicolas Six as part of his internship in our team is intended for a developer audience interested in rapidly jump starting with Confidential Computing on the Azure cloud to unlock new scenarios.

As you (may) know, there are three types of possible data exposure to protect against. One is data at rest (on disk) and another data in transit (over the network). While there’s always room to improve and innovate, Microsoft (as well as the industry) have built services and technologies and use standards to address these scenarios. The third possible exposure is data in use. Our customers are constantly doing calculations on data. However, data become potentially vulnerable when one performs calculations on them.

To protect data in use, confidential computing adds new data security features through the use of secure isolated regions, which is specifically supported by a specific extension of the Intel (SGX) and ARM (TrustZone) processors to create so-called Trusted Execution Environments (TEEs) or “enclaves”. In an enclave, there are containers for the code and the data: i) isolated from the OS, ii) that support secure communication via an attestation mechanism, and iii) allow to securely persist secrecy.

Data is not visible in unencrypted form during computation except to the code authorized to access it: only the processor sees the data and the code in clear while the code and data enter the processor completely encrypted. Similarly, data comes out encrypted from the processor. That means that it’s not even accessible to public cloud service providers or edge device vendors.

Confidential computing enables new solutions on Linux & Windows where data is private all the way from the intelligent edge to the intelligent cloud. (See for example blog post Microsoft’s confidential computing improves security for banks)

In this context, this guide:

• Illustrates how to get started with Azure Confidential Computing and the creation in the Azure cloud of DC-series virtual machines with the latest generation of Intel Xeon processors with Intel SGX technology.
• Covers the implementation of Microsoft Open Enclave SDK, an open source framework that allows developers to build TEE-based applications using a single enclaving abstraction. Developers can build applications once that run across multiple TEE architectures. As Mark Russinovich, the Azure CTO, points out:

“The Open Enclave SDK is already a popular tool for developers working on Trusted Execution Environments, one of the most promising areas for protecting data in use.”

• Notably describes the associated tools in a context of cross-platform development.

The guide can be downloaded at https://aka.ms/CCDevGuides.

(2019-09-12 update: version 1.1 is available with the addition of an Azure IoT Edge scenario. As of today, the Intelligent Edge indeed brings the power of the cloud to mobile and (Industrial) Internet of Things ((I)IoT) devices and demands security for trust.)

(2020-04-17 update: version 1.2 is now available as part of a new series of guides on Confidential Computing, see here)

Thanks, Philippe