Microsoft has launched a new kind of Azure virtual machine that uses new Intel hardware features to offer a secure computing platform for data security-sensitive operations.
The Need for Security
There are countless ways to secure data in Azure. At the edge, we have network security groups, the web application firewall, third-party network virtualization appliances (firewalls) from the likes of Watchguard or Checkpoint, and the brand new Azure Firewall. But that’s just edge security. In the virtual machine, you have Microsoft or third-party anti-malware, but that’s only for known software-based attack patterns. SQL Server and Azure SQL have their own firewalls, transparent data encryption, column encryption, and data masking. Azure storage also offers encryption at rest. KeyVault can secure secrets with FIPS levels of defense but that’s only good for specific secrets such as keys or passphrases. Azure Security Center can detect an attack in progress, but wouldn’t it be better to prevent data loss?
The recent British Airways compromise showed us that hackers can be quite creative. This was reinforced by the recent announcement of a vulnerability that was found by Facebook. The value of the data that online services can hold is incredible and justifies the efforts that are made by professional criminal organizations. With data encryption at rest becoming more common, and Azure is increasingly enabling it by default, criminals are willing and able to compromise code to capture data while it is being processed.
The next evolution of security is to protect data while it is being processed. To be frank, some of what Microsoft has explained makes me “what you talkin’ bout, Willis?”. The concepts are mind-boggling but exist now in a tangible form in the new DC-Series Azure virtual machine.
Azure Confidential Computing is the result of work done by a team made up of the Azure team, Microsoft Research, Intel, Windows, and the Microsoft Developer Tools group.
The foundation of confidential computing is the use of silicon to protect secrets. Intel SGX can protect code from modification or inspection. Using an SDK, developers can place their code into enclaves or partitions, known as trusted execution environments or TEEs, to isolate the code from the rest of the operating system environment. Even if the machine was to become compromised, the code and the data it is processing would be isolated from the attacked by hardware.
For you Hyper-V nerds out there, Intel’s video does refer to a virtual machine manager in the architecture. Considering Azure’s use of Hyper-V, and the use of Hyper-V for similar technologies in Windows Server and Windows 10, I wouldn’t be surprised if the partitioning of Hyper-V was being used here to mark the software boundary of the TEE.
Confidential computing is available in preview today in the form of 2 sizes of DC-Series virtual machines, which fall under the general compute category.
You’ll notice that they are only available as “S” variants, continuing a trend that I like. Previously, we’ve had (for example) the D-Series and the DS-Series. Both were the same price (OS and data disks are always extra) but the DS-Series offered both Premium SSD and Standard HDD/SSD support. Therefore many of my customers only ever deployed the DS-Series, and that sort of thing caused challenges for hardware provisioning. I think Microsoft has realized this, and are now only offering the “S” variants – you’ll see similarities with the previously launched BS-Series and FS_v2-Series machines.
Exact details on the DC-Series are light on the ground. Pricing for the DC-Series is not shared publicly at this time.
The series is also not widely available. Today, a private preview is running in the East US region and a public preview is running in the West US region.
Generation 2 Virtual Machines
We have another tidbit for the Hyper-V folks out there. Until now, all virtual machines in Azure have been Generation 1 virtual machines. From on-premises deployments, you might know that:
- Generation 2 virtual machines boot much faster
- The OS disk on a Generation 1 machine is on an IDE controller, whereas Generation 2 only uses SCSI controllers.
- Generation 1 machines are BIOS-based and Generation 2 machines are UEFI-based.
The DC-Series is the first Generation 2 virtual machine to appear publicly in Azure. I deployed a DC-Series machine in Azure to compare it with an older machine.
The older machine:
- Had many more virtual devices, as we expect from Generation 1 machines
- The OS disk and the temp drive on a virtual IDE controller, and each disk was referred to as a Virtual HD ATA Device.
Azure veterans know not to store data (such as a domain controller’s Sysvol, database, and logs) on the C: drive because the virtual IDE controller does not correctly implement write-through to bypass write caching.
The newer machine:
- Had fewer virtual devices
- It also had a SCSI controller for the OS disk and temp drive which are each referred to as Microsoft Virtual Disk.
Microsoft barely mentioned in the confidential compute announcement that Generation 2 was being used. So I cannot confirm anything about UEFI being used and I have not timed boot up or deployment times to see if they are any better – one would hope that these things come too.
The DC-Series offers a new IaaS platform for trusted processing of data in addition to at reset encryption, secret storage, and monitoring. If you need to protect your data from compromise, then this might be the series to use.