Industry sign banking arizona form computer
- Hi, everyone. Thank you so much for joining us today. My name is Vikas Bhatia, and I am the Head of Product for Azure Confidential Computing. Today, we will be talking
about new developments for protecting your data in use with Azure Confidential Computing. So today, we will be providing you with an overview of confidential computing if you're not already aware. We will show you a couple of patterns for how you can make
your app confidential. And then we will talk
about how the Azure Cloud is moving to be the
Azure confidential cloud with some of the solutions that
we are providing from Azure that can make your workloads confidential when running on the Azure cloud. One other thing I want to point out, right at the bottom of this screen and in a few more other slides, you will see the link at the bottom, which you can use to get in touch with us. It's a simple form where you can come in and tell us what areas
you're interested in, and this will allow us
and our product teams to come in touch with you if you're interested in
joining us on this journey. So let's get right into it. First, we're going to cover what is Azure Confidential Computing? What Azure Confidential
Computing lets you do, it lets you move forward on
your digital transformation. It helps you migrate with confidence, your privacy and secure
security sensitive workloads to the cloud. It also helps you unlock new opportunities by leveraging many of the services that are provided in the Azure cloud, such as Azure Machine
Learning or using Azure SQL, and it also helps you
innovate with confidence. There are so many times when you want to do so
many things with data, but you cannot because
of privacy and security limitations that you have
in handling with the data. Some of them have to with
just this quality of data that you have, the other have to do with, there are regulations
that you have to deal with in operating your data. So what Azure Confidential
Computing lets you do, it helps you protect your data and use for giving you that added security for your privacy and
security sensitive workloads and to enable scenarios such as secure multi-party data sharing. So when we talk about three legs of a data production life lifecycle, what we mean is we have
existing encryption that we use today, for protecting data at rest and protecting data in transit. For example, to protect data at rest, most of the disks that we use have disk encryption only
enabled, such as BitLocker. Or for data in transit, today when we've send data over the wire, we always use HTTPS or TLS
as some sort of encryption that makes sure our data is
protected the whole time. But as an industry, when we are actually
operating on the data, when the data is actually being
used, when it is in memory, that data today is
completely in the clear. So what ACC lets you do, it helps you protect that data in use. And what it helps you, it protects against malicious
privileged administrators or even your own insiders or hackers who are exploiting
bugs saying the hypervisor or the operating system, whether that's the guest or
the host operating system. And it also helps you protect your data against third parties, who you want to share the data with to enable a common business desire, but it helps you protect that data so that the data cannot be accessed without customer consent. So why do you need to
protect that data in use? Because you as an app developer
have done everything you can to protect your application. You've gone through the strata models, you know what your trust boundary is, you know all the
applications and libraries that you're including in your application. But when your application is
running in a cloud environment, it is running with other apps on the same guest operating system. That guest operating
system sits on a hypervisor or a host. And when your application
is running in the cloud, it is exposed to these attack vectors such as vulnerabilities and the Guest OS, or the Host OS kernel, or the hypervisor. In addition, there are
human elements here, right? Your own trusted VM admin,
your own tenant admin, you know, maybe having a bad day or their credentials might be fished. In those scenarios, what happens is, somebody might be able to say
install a malware or something on a guest operating system, which now has access to your data that you did not really
anticipate in your trust model. So as you see now, this is the same picture
from the previous slide. And now what we help you is
we've been working very closely with Intel as a close partner where your code and data
can now run securely inside an enclave or a
trusted execution environment. So in this model, your code and data is
only ever in the clear when it is inside that protected enclave that is backed by a key that you own. So what this means is data
is only ever in the clear within that protected memory,
within that protected enclave and it is encrypted. The second it's pushed outside the CPU. So how does this work? We've been working very closely with Intel on the SGX hardware. SGX stands for software guard extensions. This is a new hardware architecture, new instruction sets
that lets you set aside these private regions or
enclaves of code and data where the data is only ever in the clear when it is inside the enclave. As you can imagine, this is
a really powerful concept because now your application, as it was exposed to all of
these other vectors before it is now protected from
those different vectors, such as bugs in the
hypervisor and human element that we've mentioned before. And as Azure, we are now generally available in a variety of regions around the world. These are some of the deployments
that are available today and there are a few coming down the line, and we expect to be in 13
regions by the end of 2020. So what you can let us do
is let us know which region you're interested in
and we will try to get a cluster very close to where you are. So what use cases is confidential computing useful for? Here is a example of UCS that we've been working with
a few of our customers on. Let's say you're in the banking industry and you want to detect fraud, right? There's some sort of fraud
happening in your transactions and you don't quite
know what is happening. You only have access to your own data set. So when you have access
to only our own data set, the amount of detection rates, the false positives
that happen in that case are pretty high. Ideally, what should happen is that these banks can
pull the data together and operate on the common data so that you can learn
machine learning models or plain old analytics for the combined data set
running inside the enclave. But the challenge, as you can imagine is these bags can't just
share data with each other because of regulatory and
privacy and security concerns. What confidential
computing allows you to do, it allows you to run agreed upon analytics on the combined data set, but you can still get those insights without giving access to that
private and sensitive data, and thus meet the
confidentiality requirements that we have on these sort of data. And then as an outcome, you
have increased detection rates, you're reducing the false positive. And what this lets you do
is help you collaborate and explore new business models that were previously not possible. In addition to this particular use case, I also want to talk about other use cases that
we've seen in the wild. So for example, we've seen
customers leveraging privacy, preserving analytics, such as for multi-party data
sharing and computation, payment processing and
cryptocurrency is another common use case, blockchain is a common use case. Another use case that we've seen really resonated with
customers is machine learning for machine learning
inferencing and training. Similarly, for key management
or secure databases. The last line is important,
because the data itself is something that needs to be secure. We secure it when it is stored at rest, but today, by leveraging
confidential computing, you can secure the data
even when it is in use. The other thing I want to call out, is we've seen a bunch of interest
from regulated industries for the reasons that you
might think are pretty obvious because these regulated
industries have strict guidelines on how they operate on data. So we've seen a ton of interest
from financial services, government and healthcare. So what I want to talk to you next about is a couple of customer successes that we've seen in this space, to give you an idea of the
kind of use cases and workloads that we are seeing with
confidential computing. Another use case I want to highlight is a partnership with MobileCoin. So MobileCoin enables
digital currency transfers between users. And if you've used any of them, you know, they are typically
not very user friendly and these transfers can take
a lot of time to accomplish. What MobileCoin does, it leverages the Azure
Confidential Computing platform to provide a new digital
currency and a platform that provides that fast,
secure transactions, which also gives you that
great user experience, and the confidentiality that
can be accomplished with ACC is something that they really value. As you can see here,
even the administrator cannot see the data unencrypted. This is the promise where
confidential computing will help us move the industry
from computing in the clear to computing confidentially. So we'd love to talk to you
about a customer use case that we've been working
with Magnit and Aggregion. Magnit is one of the leading
grocery retail chains operating more than 22,000
stores in over five formats. And they want to enable a loyalty card where they want to actively
collaborate with their partners and payment providers, so that you can have secure
rich data collaboration such that the privacy is maintained when you're doing these joint analytics, when they're working with their partners. This has been enabled through Aggregion, who is an ISP partner of ours. So what I want to show you next is how you can use the various components that you have as a customer and the capabilities we provide in Azure to provide that seamless integration. So the business outcome
that we're looking for here is leveraging secured analytics. Can we do BI and analytics on
joint data or combined data, so we can get richer insights for these combined loyalty cards while still maintaining
that confidentiality? So from an architectural perspective, the data is stored and processed at the partner's cloud data links and the processing nodes themselves are not quite at the mind beforehand. The partners, they've released
a joint analytical product and grant access to
the specific data areas based on specific terms. So what happens here is they create these
dedicated secure enclaves that are used for that
sensitive joint calculations, such as ID matching or joint processing, and these enclaves are
assigned for execution strictly based on scripts, so that nobody can get access to the data inside that enclave. All data input and output are encrypted. All operation logs themselves
are stored in secure, irreversible distributed registers and AKS or Azure Kubernetes Service is used for executing and
orchestrating the containers, scaling up and down based on
the needs of the data size. So over here, I brought a few concepts that I have at use here, such as Azure Kubernetes Service. Later on down the slide, I will talk about how you can use AKS for doing your confidential workloads. As a developer you might be thinking, how do I make my app confidential? So when we talk about confidential apps, at a very high level, there are two application
programming models. The first is you have a new app that you want to bring
to the market, right? Or some something for your customers. Here's a new app, you were very sensitive
to the amount of code that you're running inside,
your trusted computing base or your TCB. Our TCB is generally defined
as the amount of code that you trust and you know, is running for your application. In this particular scenario, when you're building a
new or you're refactoring an existing app, you have the most control where you can leverage one of
these SDKs that we have listed such as the Open Enclave SDK or the Intel SGX SDK, the Enarx SDK, the CCF and Edgeless RT runtime. These are all projects that are available in the confidential computing consortium, where you can now leverage these projects to get a tight TCB, where you have the most
control over what gets run on your application and your data when you're operating in an environment. The second use case, the one on the right, is where you want to take
your existing application and make it confidential. You don't want to change it, you already got it working, but you just want to make sure that it's a super important
business requirement for you to make sure that this
application that is running is confidential. So what you can do is get
your existing application or your container, and run it confidentially
with zero or minimal changes. Over here, you can leverage one of the open source
frameworks available, such as Graphene or Occlum or work with some of the ISV partners that we've been working with, such as Anjuna, Fortanix, and Scone. This path, the lift and shift
path, is the fastest path for you to bring make your
applications confidential. We've been working with a few customers and they have been able
to get their applications confidential within a matter of days. This is a path that you can
may want to choose as well for your application. The important thing between
these two application models is try to figure out where your trust boundary is. What are you most interested in? Today, we are going to
be talking a lot more about the second class of applications, where you can lift and shift
your existing applications to the cloud. So with that said, today, we are very happy to
announce a public preview of confidential computing nodes
on Azure Kubernetes Service. This is a platform for bringing
your confidential workloads and leverage AKS to run them on Azure. These are Intel SGX based
TCS V2 confidential nodes for isolating your execution
for the next container apps. Here, as a developer,
the advantages you get are that the SGX drivers are pre-installed with encrypted page cast
based pod scheduling features. It supports existing tooling. So your existing tooling
that you already have, your existing best practices that you have from a DevOps point of view, are aligned with the cloud native development programming model. And it's important to point out that this capability is
supported on all GA regions of Azure confidential computing
VMs are running on Azure. In addition, starting in October, 2020, we are super happy to announce
the confidential containers via AKS. So Azure will provide the platform support for these confidential Linux containers through confidential nodes. So what this lets you do is confidential containers will enable existing unmodified
containers and all of its code inside the enclaves. These containers provide data integrity, code integrity protection, and data confidentiality in a hardware-based trusted
execution environment, thus improving the security
posture of your application. So let's take a look at what this means. What we have here now is a platform where you can leverage our ISP partners, our open source software and
bring your existing workloads and lift and shift them
and make them confidential. We are calling this capability
confidential containers, where now you're making
your existing investments in containers confidential, without having to modify
your existing app code. Confidential containers
will enable existing unmodified containers
and all of the scored to be able to run inside these enclaves. These containers provide data integrity, code integrity protection,
and data confidentiality in a hardware backed trusted
execution environment, thus improving the security
posture of your applications. This is a community oriented approach, and we're trying to help you further harden your
enterprise security promise for containers and Kubernetes. In order to do that, we have a really rich
ecosystem of our partners that we've been working very closely with to bring these capabilities
to the Azure cloud. We've been working very
closely with Anjuna, Fortanix and Scone who are now
providing these capabilities for you to bring your
applications to the Azure cloud. In addition to these ISP partners, we've also been working with
open source software projects, such as Graphene and Occlum, to bring your workloads to the Azure cloud and make them confidential. In addition to the ISV and
the open source software, we also have capabilities available in the Azure marketplace on
azuremarketplace.microsoft.com that you can now go and
deploy these capabilities for your workloads in Azure cloud. In addition to these,
I want to shift gears and talk a little bit more about how we see the Azure cloud moving to the Azure confidential cloud. What we've done is we've
taken our services, the services that you use
and made them confidential. So I'm going to walk you through a full end-to-end integrated demo showing how trust can be
created between organizations to protect that private
and sensitive information. So in this demo, we are showcasing
the DCsv2 Intel SGX VMs, the confidential machine
learning inferencing using the ONNX runtime, Microsoft Azure Attestation service, and the Azure Kubernetes
Service integration with AKS that will now show you how to pull all these
different pieces together and create an end-to-end
integrated demo here. - [Illustrator] Hi, welcome to the demo. In this demo, you will see how Azure Confidential
Services were leveraged to solve data and code
confidentiality problems to build the trust between
the multiple parties that are involved in hosting the solution. The business problem lies
between three parties with hospital as the primary customer, sharing the patient sensitive information. All three parties were able
to move forward leveraging confidential computing nodes on AKS and related confidential
services with Azure for an end-to-end protection. The client is running
on Azure Blob storage, hosted on Lamna's Azure subscription, who is the primary
customer and the hospital. Applied flask based web API application is leveraging Scone for a lift and shift. And Redis cache as a storage for a full in-memory encryption. Fabrikam here is using ONNX-based model that Microsoft ONNX team
is making it available for running it confidentially as well. All three parties here are
able to trust each other through an attestation services that provides transparent
attestation of the hardware and the software, and the runtime that is included to
run these applications. Let's dive into the details now. So on this part, you would see how AKS, two clusters were used to
host Fabrikam and Contoso, Where you could add a
DCskew to the node pool that'll basically enable
confidential containers platform. And endogenous node pool was created to rent the sensitive
parts of the applications or microservices on the same cluster, leveraging the current state of DevOps. Here you see a Python app Contoso is using that is taking as is and connoting that as a confidential containers. Running the Python engine
inside of the enclave is only the first step since an adversary could just modify or replace
Python code of the web API. Scone containers are
encrypted and IP protected with key release policies
attached to the hardware that are transparently handled by Scone. For the Redis component, this
is a straightforward process. In this part of the demo, you'll see the web portal that
is hosted by Lamna Hospital as a static website. When you hit the submit button, the Python web API is called that is going to the Redis cache, which is all running in an enclave for securely fetching the patient details. If a patient is not found a form is prompted for the
hospital employees to punch in the sensitive information
to store back on Redis. So once the information is filled out, the hospitals can also upload
MRI scans for the brain to determine the probability of tumor as additional data point for
the hospitals to follow up on the next steps The [inaudible] hosting the ML model that shows the tumors and it
is using on excellent time in this case, that is being communicated
directly with Python web API. For the confidential influencing our pie chart model was taken and converted into an ONNX to be run as a confidential inferencing service. A Microsoft Azure Attestation
is leveraged in combination with Scone at the station as a key service provider
to identify the apps and the hardware they are initiated on. Azure attestation
collects enclave evidence, validates it against security baseline and evaluates it against
an attestation policy. Upon successful verification, the service generates a JWD token and that token is used
by the relying party to look at the trust of
the oral application. Azure attestation AIPS
are protected by Azure ID and hence required an AAD
token for you to talk. The relying party could be
extended to Azure keywords or any other Azure services
that understand the JWD token for further downstream processing. This is the end of the demo. To summarize you saw how
confidential computing was leveraged to create trust
between multiple parties, hospital in this case, how the data and its IP was
protected for the containers, and how Azure component services like Azure Attestation services and confidential
inferencing were leveraged to verify the security posture and have an end-to-end protection. But last but not the least,
how lift and shift was enabled for an unmodified Docker
apps through our partner. Thanks for watching. - So great. You saw that demo and
this is very important, because it shows you how you
can bring your own application and run it integrated
with all of these services that you saw. And I'm going to introduce those services in the next set of slides
to show you what you saw and what services you can now leverage to make your own application confidential. So how does this work? What we now let you do
is we help you build an end-to-end solution. You combine the power of Azure services and new capabilities of
confidential computing, such that your sensitive
data is protected end-to-end within your own solution. So this is really important
for you as a developer, right? Because as a developer, the amount of concepts
that you have to deal with, you want to reduce the number of concepts. This is why we made these capabilities seem seamlessly integrated in Azure. So you can use your own
client apps or, you know, your own CI/CD pipeline, use capabilities that
you're really familiar with, such as Docker or AAD with our
back capabilities obviously, Azure Monitor, and also use your standard computing nodes that you used today and mix and match with the confidential computing nodes and integrate with Azure
Kubernetes Service, where it makes sense. The other important thing here is because of all these services
that we provide from Azure, you can decide which
service makes sense for you as you're making your
applications confidential. So with that in mind, I want
to show you a bunch of services that we are now releasing inside Azure, the capabilities that can now make our applications confidential. So I already talked a bunch about Azure Confidential Computing with AKS. In the next few slides I'm
going to touch on Azure SQL, confidential inferencing, Microsoft Azure Attestation Service, AKV Managed HSM capabilities, and a new service that we
are super happy to announce, which is the confidential ledger service that is coming soon as well. So first we want to talk about Azure SQL. Data by itself is super sensitive, and Azure SQL is where
you would store the data. So what we've done is we've
been working very closely with the Azure SQL team and come up with Azure SQL always encrypted
with secure enclaves, which will now help you protect
that sensitive data in use while preserving that rich capabilities that you're already used to. This should feel pretty seamless, because the capability is here, you can now do secure computation inside that SQL enclave,
where the SQL engine is itself delegating those
operations on encrypted data to the SQL enclave, where the data itself can be
processed and decrypted safely when it is being actually used. That there are rich query capabilities, you can use sorting, indexing and so on. And the other important
thing is we give you that in-place encryption, where the SQL enclave can perform that initial data encryption and your data is never in the clear when you're moving and
out of the database. As you can imagine for
applications that are sensitive and, you know, pretty much
all applications are today, this capability will now let you make sure that your SQL database that you're using is completely secure end-to-end. The other capability we are
super excited to announce, is the Beta for confidential influencing. Data as itself, a lot of use cases are now using machine learning
to operate on the data. Now, machine learning influencing operates on the real data that
you want to get the output on. What confidential
influencing lets you do is it's an open source
enclave based ONNX runtime, which helps you establish
that secure channel between the client and
the inference services, and example, where you can now get that
confidentiality guarantee from the client data,
from the cloud provider and the ML model provider. This is an example of what is possible, or you can get started
today by clicking that link at the bottom of that slide, to go and read the documentation on how you can get started here. The other service here
that is super important is as a developer and you're
running confidential computing, you want to make sure that
the code that you're running, the data that you're
running is actually the code and the data that you
think you're running. So that code and the
data has to be attested so that you make sure that
nobody has swapped it out beneath you when you're
not looking, right? So what Microsoft Azure
Attestation service lets you do, it's a free customer facing service and it's a framework for attesting your Trusted Execution
Environment or your enclave, where you know that the
binaries that you're running, were properly instantiated
on the trusted platform that you think you're running on. So it's a unified framework
here that you can now use as a multi-tenant service. It offers default providers. It protects that data in use and it's a highly available service which will offer the SLA
guarantees that you're used to when you're running a
cloud-enabled service. There are many use cases here. The way we look at it is MAA service in the Microsoft Azure
Attestation services are all fundamental building block in order for you to get your applications to be confidential. If you remember a few slides back, we talked about one of the use cases being secrets and key management. With Azure Key Vault Managed HSM, you get a really powerful
key management capability, which is fully managed. You don't need to provision
or configure your HSMs. It's highly available and resilient. The other important
thing is a single tenant. So each managed HSM or a
hardware security module is dedicated to a single customer to you so that you can create a pool
of multiple HSM partitions, where each pool can have a
separate customer workload that you want to run and make sure that your keys are protected by a hardware security module, so that the keys are
protected by hardware. The other important thing here that we will do want to call out as the move to the
Azure confidential cloud is that the AKV manager HSM service itself is built and run on the
ACC Intel SGX DCsv2 VMs. And last but not least, we want to talk about the Microsoft Azure Confidential Ledger. In many of these scenarios that we talk about for confidentiality, one important piece that you
will realize as you go deeper into this area, is you want to make sure that the code and the data that you're running, the logs of it actually reflect who touched the data and the code that you want to run confidentially. So what Azure Confidential
Ledger lets you do, it gives you a tamper-proof audit log for storing that sensitive data blobs and records that as fully confidential, immutable, and verifiable. What this lets you do is
it gives you an audit trail to verify and validate the authenticity of all the data that you're generating. Now, as you can imagine, the
use cases of this are multiple. You can, you know, you want to make sure that the highly sensitive admin operations that are
happening on your data sets are logged, and you know that the data
is completely tamper-proof. You can monitor these
multi-party data collaboratives that we talked about earlier. Something like this will let you now audit who accessed the data? What access did they get? What operations that they provide? The important thing here is
Azure Confidential ledger gives you that guarantee that the logs that you're trying to access
are completely tamper-proof. So with that, I have a
call to action for you. As you get started on your
confidential computing journey, I encourage you to check out
our homepage on Azure.com at aka.ms/AzureCC. This is where you will see all the capabilities we referenced here today, our links to blogs,
documentation, and product pages. We also encourage you
to get in touch with us as I mentioned, when we
started the presentation. This will allow you to get in
touch with our product team and come to us with a specific scenarios, or if you want to participate in one of the early preview
programs that we are running. And in addition, I encourage
you to check out the samples that we have published
on aka.ms/sgxsamples. On that website, you
will also find the sample that we talked to today in
the demo presentation today. So with that, thank you
again for taking the time to listen to this presentation, and I look forward to seeing you on your journey of confidential computing. Thank you.