I wrote about how Microsoft used Intel's secure extensions to its processor instruction sets to provide a foundation for confidential computing in Azure a few years ago.
In the years since, the confidential computing market has taken a few steps forward.
Another important development is that Nvidia has added confidential computing features to its GPUs.
Using GPUs at scale allows us to treat the cloud as a supercomputer, and adding confidential computing capabilities to those GPUs allows clouds to partition and share that compute capability more efficiently.
Microsoft Azure's confidential computing capabilities are evolving right along with the hardware.
Azure's confidential computing platform began life as a way of providing protected, encrypted memory for data.
There's a bonus in that the use of confidential VMs and containers allows you to lift and shift on-premises applications to the cloud, while maintaining regulatory compliance.
Azure confidential VMs with Intel TDX. The new Azure confidential VMs run on the latest Xeon processors, using Intel's Trust Domain Extensions.
Microsoft is starting to roll out a preview of these new confidential VMs, across one European and two US Azure regions, with a second Europe region arriving in early 2024.
Adding GPU support to confidential VMs is a big change, as it expands the available compute capabilities.
The confidential VMs allow you to use private information as a training set, for example training a product evaluation model on prototype components before a public unveiling, or working with medical data, training a diagnostic tool on X-ray or other medical imagery.
Instead of embedding a GPU in a VM, and then encrypting the whole VM, Azure keeps the encrypted GPU separate from your confidential computing instance, using encrypted messaging to link the two.
You're able to use Azure to get a security attestation in advance of releasing confidential data to the secure GPU, further reducing the risk of compromise.
More confidential computing tools are moving into Microsoft's managed Kubernetes service, Azure Kubernetes Service, with support for confidential containers.
Unlike a full VM, these run inside host servers, and they're built on top of AMD's hardware-based confidential computing extensions.
AKS's confidential containers are an implementation of the open-source Kata containers, using Kata's utility VMs to host secure pods.
You run confidential containers in these UVMs, allowing the same AKS host to support both secure and insecure containers, accessing hardware support through the underlying Azure hypervisor.
Again, like the confidential VMs, these confidential containers can host existing workloads, bringing in existing Linux containers.
These latest updates to Azure's confidential computing capabilities remove the roadblocks to bringing existing regulated workloads to the cloud, providing a new on-ramp to delivering scalable and burst use of secure computing environments.
Confidential computing needs to be seen as essential when we're working with sensitive and regulated information.
This Cyber News was published on www.infoworld.com. Publication date: Thu, 14 Dec 2023 10:13:05 +0000