Microsoft and Google have announced updates to their respective virtual-machine (VM) instances for highly confidential information to be processed in Microsoft Azure and Google Compute Engine.
Microsoft has moved its Azure DCsv2-Series VMs to general availability. The VMs feature hardware-based trusted execution environments (TEE) that are based on Intel’s SGX or Software Guard eXtensions.
TEEs – also known as secure enclaves – are isolated from the host operating system and hypervisor, and are located in a part of the CPU with its own memory.
People with physical access to hypervisor cloud servers, such as a cloud admin or workers in a data center, can’t access data actively being processed in a TEE. It offers an additional protection to encryption of data at rest and in transit.
While SGX makes it very difficult to run malware in a secure enclave, researchers have found ways a person with physical access can tamper with data stored inside SGX.
The feature is likely to be of interest to private sector and government organisations that process financial data, healthcare and intelligence data.
“By combining the scalability of the cloud and ability to encrypt data while in use, new scenarios are possible now in Azure, like confidential multi-party computation where different organisations combine their datasets for compute-intensive analysis without being able to access each other’s data,”
Google meanwhile this week made its Unified Extensible Firmware Interface (UEFI) and Shielded VM the default for all Google Compute Engine users for free. The feature helps ensure that VMs boot with a verified bootloader and kernel.
The Shielded VM offers protection from malicious guest system firmware, UEFI extensions, and drivers; a persistent boot and kernel compromise in the guest OS; and VM-based secret exfiltration and replay.
Shielded VM is available for customers using CentOS, Google’s Container-Optimized OS, CoreOS, Debian, RHEL, Ubuntu, SUSE Linux Enterprise Server, Windows Server, and SQL Server on Windows Server images.