SlideShare uma empresa Scribd logo

Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx

Transferir como PPTX, PDF
Carlo Sacchi
Carlo Sacchi

Carlo Sacchi gave a presentation on confidential computing in Azure (ACC). He discussed key concepts like trusted execution environments (TEEs) that protect data in use through hardware-based isolation. Azure provides confidential computing options like confidential virtual machines and confidential key management. The Confidential Computing Consortium is working to standardize the technology across platforms. Early customers are leveraging ACC for sensitive workloads requiring high levels of data security and privacy.

Internet
1 de 26
CONFIDENTIAL COMPUTING IN AZURE (ACC) Get confidential with confidential computing Carlo Sacchi - linkedin.com/in/carlo-sacchi Sytac Azure Night | December 2022
Who I am • IT Engineer • 20yrs working on IT, starting from 2000 as SysAdmin 🥷 • Approach VMs in early 2010, then cloud in 2015 🥷 • Working as DevOps, always looking for new trends for ITtech 🔭 • Active Certifications: AZ-104, AZ-400, CKA 📝 Sytac Azure Night | December 2022
My first speech in a MeetUP Sytac Azure Night | December 2022 D E AT H Z O N E
Agenda • Introduction: what is Confidential computing and key concepts; • On Azure; • Consortium; • Costs; • Customers & Market. Sytac Azure Night | December 2022
Cloud Customers are increasingly looking for ways to trust as little as possible Full control over the data lifecycle Privacy Regulations and Complaints Customer trust Untrusted collaborations Sytac Azure Night | December 2022
Customer’s trust in the cloud today Sytac Azure Night | December 2022
Azure Confidential Computing Encrypt inactive data when stored in blob storage, database, etc.. Data in use Protect/encrypt data that is in use, while RAM, and during computation Sytac Azure Night | December 2022 Data at rest Data in Transit Encrypt data that is flowing between untrusted public or private networks E X IS TING ENCRYP TION CONF IDENTIAL COMP UTING Protect against Malicious Hackers Third Parties Privileged admins or insiders Exploting bugs in the Hypervisor/OS Accessing data without customer consent
In Azure, confidential computing means… Sytac Azure Night | December 2022 A hardware root-of- trust
Share data with multi-party securely CONFIDENTIAL COMPUTING Sytac Azure Night | December 2022 Data in use Protect/encrypt data that is in use, while RAM, and during computation Defense in depth from others Malicous admins Hackers Access without consent Protect customer data from myself&platform Guest/Host OS kernel VM / Host admin Hypervisor Physical hardware access
What is Confidential Computing? The protection of data in use by performing computation in a hardware-based Trusted Execution Environment (TEE) (or Enclave) Sytac Azure Night | December 2022 Verifiable assurance for: - Data integrity - Data confidentiality - Code integrity Azure provides - Confidential key management (M-HSM), with SKR - Confidential attestation service - Choice of memory isolated and encrypted TEEs
Trusted Execution Environments (TEE) I N T E L S G X A S A N A P P L I C AT I O N E N C L AV E ( S of t w a r e G u a r d e X t e n s i o n s ) Minimize attack surface to CPU Isolates the code and data of a given confidential workload from any other code running in a system with encrypted memory Sytac Azure Night | December 2022 App App Operating System Hypervisor Host OS Hardware TEE
Why Confidential VMs? Benefits • A VM that’s confidential • Protection from Azure as the CPS • Doesn’t require access or changes to code • Independent hardware Root of Trust • Full platform attestation on boot • Customer verifiable attestation • Virtual TPM device • Full Disk Encryption • Near general-purpose VM performance Sytac Azure Night | December 2022 Hypervisor Host OS Hardware Virtual Machine Encrypted memory (Confidentiality & Integrity) Customer’s app Attest Execute 1 2
Enclaves and Confidential Virtual Machines TEEs Sytac Azure Night | December 2022 Host OS, Hyprv, VMM, … Hardware Hypervisor Host OS Hardware Virtual Machine Encrypted memory (Confidentiality & Integrity) Customer’s app Attest Execute 1 2 Customer’s app Partition app Untrusted part of app Create enclave Attest CallTrusted Biz Logic 1 2 E N C L AV E Trusted part of app Execute Return 3 4 5 6 7 C A L L B R I D G E
TEE Foundations Hardware root-of-trust Remote attestation Trusted launch Memory isolation and encryption Secure key management Sytac Azure Night | December 2022
Trust Boundary Sytac Azure Night | December 2022
Attestation Is how one software environment proves that a specific program is running on particular hardware, proving the trustworthiness of the TEE. 1. Initiated by the TEE when it loads 2. Establish a secure channel and retrieve the secrets Passport / Background Check ‘model’ Sytac Azure Night | December 2022 RATS - Key players and Data flow • Attester • Relying Party/Key Broker Service (KBS) • Verifier (Attestation Service) • Key management service Attester Relying Party Verifier Compare evidence against policy (reference values) Compare attestation result policy Evidence Attestation result
Confidential Computing Consortium Blockchain Attestation (dev) external decentralized and provider agnostic Sytac Azure Night | December 2022
Confidential computing at Azure Services SQL IaaS on confidential VMs (GA) SQL always encryp with secure enclave (GA) AVD on confidential VMs (Public Preview) Managed HSM (GA) Microsoft Azure Attestation (GA) Azure Confidential Ledger (GA) Containers App enclaves Intel SGX nodes on AKS (GA) Confidential VM AKS worker nodes (GA) Confidential serverless ACI (Limited Preview) Virtual Machines Dca/Eca SEV-SNP VMs (GA) DCsv2/DCsv3/DCds v3 Intel SGX VMs (GA) NCC NVIDIA VMs (Limited Preview) Azure confidential computing offerings cover not just VMs and containers, but also Azure PaaS/SaaS services. Choose a ‘most-secure’ route with control oger every line of code, or an ‘easy button’ route to lift-n-shift existing apps to be confidential Sytac Azure Night | December 2022 New New New New New
Customers leveraging Azure CC Sytac Azure Night | December 2022
Price Comparision Name Standard_D2_v3 Standard_DC2s_v2 Details Standard is recommended tier D – General purpose compute 2 – VM Size v3 – version Standard is recommended tier D – General purpose compute C – Confidential 2 – VM Size s – Premium Storage capable v2 – version vCPUs 2 2 CPU Architecture x64 x64 Memory 8 GiB 8 GiB Hyper-V Generations V1 V2 *azureprice.net Sytac Azure Night | December 2022 US East US (Virginia) 0.0960 0.1920 US West US 2 (Washington) 0.0960 0.1920 Name Standard_EC2ads_v5 Standard_E2ads_v5 Details Standard is recommended tier E – Optimised for in-memory hyper- threaded applications C – Confidential 2 – The number of vCPUs a – AMD-based processor d – Diskfull (local temp disk is present) s – Premium Storage capable v5 – version Standard is recommended tier E – Optimised for in-memory hyper- threaded applications 2 – The number of vCPUs a – AMD-based processor d – Diskfull (local temp disk is present) s – Premium Storage capable v5 – version vCPUs 2 2 CPU Architecture x64 x64 Memory 16 GiB 16 GiB Hyper-V Generations V1,V2 V1,V2 Azure Compute Units (ACUs) 230 Europe North Europe (Ireland) 0.1610 n/a Europe West Europe (Netherlands) 0.1740 n/a US East US (Virginia) 0.1440 0.1310 US East US 2 (Virginia) n/a 0.1310 US West US (California) 0.1630 n/a
Confidential Cloud Recap Sytac Azure Night | December 2022
Confidential Computing Market Sytac Azure Night | December 2022
Useful links www.carlosacchi.it/cc Sytac Azure Night | December 2022
Sytac Azure Night | December 2022
A confidential feedback 🥷 Sytac Azure Night | December 2022
Q & A Sytac Azure Night | December 2022

Recomendados

Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
Mark Argent
 
Az 104 session 3 azure compute
Az 104 session 3 azure compute Az 104 session 3 azure compute
Az 104 session 3 azure compute
AzureEzy1
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Cloud Migration: Moving Data and Infrastructure to the Cloud
Cloud Migration: Moving Data and Infrastructure to the CloudCloud Migration: Moving Data and Infrastructure to the Cloud
Cloud Migration: Moving Data and Infrastructure to the Cloud
Safe Software
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from Microsoft
David J Rosenthal
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
Rahul Nath
 
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...
Sandeep Patil
 

Recomendados

Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
Mark Argent
 
Az 104 session 3 azure compute
Az 104 session 3 azure compute Az 104 session 3 azure compute
Az 104 session 3 azure compute
AzureEzy1
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Cloud Migration: Moving Data and Infrastructure to the Cloud
Cloud Migration: Moving Data and Infrastructure to the CloudCloud Migration: Moving Data and Infrastructure to the Cloud
Cloud Migration: Moving Data and Infrastructure to the Cloud
Safe Software
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from Microsoft
David J Rosenthal
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
Rahul Nath
 
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...
Sandeep Patil
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Google Cloud Networking Deep Dive
Google Cloud Networking Deep DiveGoogle Cloud Networking Deep Dive
Google Cloud Networking Deep Dive
Michelle Holley
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
Tom Laszewski
 
Data Mesh
Data MeshData Mesh
Data Mesh
Piethein Strengholt
 
cloud-migrations.pptx
cloud-migrations.pptxcloud-migrations.pptx
cloud-migrations.pptx
John Mulhall
 
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Timothy McAliley
 
Enterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data ArchitectureEnterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data Architecture
DATAVERSITY
 
Cloud migration slides
Cloud migration slidesCloud migration slides
Cloud migration slides
Erika Barron
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Microservices Patterns with GoldenGate
Microservices Patterns with GoldenGateMicroservices Patterns with GoldenGate
Microservices Patterns with GoldenGate
Jeffrey T. Pollock
 
cloud computing Multi cloud
cloud computing Multi cloudcloud computing Multi cloud
cloud computing Multi cloud
Dr.Neeraj Kumar Pandey
 
Building A Cloud Strategy PowerPoint Presentation Slides
Building A Cloud Strategy PowerPoint Presentation SlidesBuilding A Cloud Strategy PowerPoint Presentation Slides
Building A Cloud Strategy PowerPoint Presentation Slides
SlideTeam
 
Citrix adc technical overview
Citrix adc technical overviewCitrix adc technical overview
Citrix adc technical overview
Roshan Dias
 
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Edureka!
 
Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...
Malleswar Reddy
 
Microsoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert HoitinghMicrosoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert Hoitingh
Albert Hoitingh
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
Marcos Oikawa
 
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance WorkshopMicrosoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Nicholas Vossburg
 
On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration. On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration.
Emtec Inc.
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
Thomas Treml
 
Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and Virtualization
Aniket Pandey
 
Accelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to CloudAccelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to Cloud
Rebekah Rodriguez
 

Mais conteúdo relacionado

Mais procurados

Google Cloud Networking Deep Dive
Google Cloud Networking Deep DiveGoogle Cloud Networking Deep Dive
Google Cloud Networking Deep Dive
Michelle Holley
 
Microservices Patterns with GoldenGate
Microservices Patterns with GoldenGateMicroservices Patterns with GoldenGate
Microservices Patterns with GoldenGate
Jeffrey T. Pollock
 

Mais procurados (20)

Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Google Cloud Networking Deep Dive
Google Cloud Networking Deep DiveGoogle Cloud Networking Deep Dive
Google Cloud Networking Deep Dive
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
 
Data Mesh
Data MeshData Mesh
Data Mesh
 
cloud-migrations.pptx
cloud-migrations.pptxcloud-migrations.pptx
cloud-migrations.pptx
 
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
 
Enterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data ArchitectureEnterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data Architecture
 
Cloud migration slides
Cloud migration slidesCloud migration slides
Cloud migration slides
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Microservices Patterns with GoldenGate
Microservices Patterns with GoldenGateMicroservices Patterns with GoldenGate
Microservices Patterns with GoldenGate
 
cloud computing Multi cloud
cloud computing Multi cloudcloud computing Multi cloud
cloud computing Multi cloud
 
Building A Cloud Strategy PowerPoint Presentation Slides
Building A Cloud Strategy PowerPoint Presentation SlidesBuilding A Cloud Strategy PowerPoint Presentation Slides
Building A Cloud Strategy PowerPoint Presentation Slides
 
Citrix adc technical overview
Citrix adc technical overviewCitrix adc technical overview
Citrix adc technical overview
 
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
 
Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...Azure IAAS architecture with High Availability for beginners and developers -...
Azure IAAS architecture with High Availability for beginners and developers -...
 
Microsoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert HoitinghMicrosoft Information Protection demystified Albert Hoitingh
Microsoft Information Protection demystified Albert Hoitingh
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
 
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance WorkshopMicrosoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
 
On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration. On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration.
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
 

Semelhante a Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx

Accelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to CloudAccelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to Cloud
Rebekah Rodriguez
 
Presentation v cloud suite 5.1 – what’s new
Presentation v cloud suite 5.1 – what’s newPresentation v cloud suite 5.1 – what’s new
Presentation v cloud suite 5.1 – what’s new
solarisyourep
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
Rebekah Rodriguez
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
 

Semelhante a Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx (20)

Active Directory and Virtualization
Active Directory and VirtualizationActive Directory and Virtualization
Active Directory and Virtualization
 
Accelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to CloudAccelerating Innovation from Edge to Cloud
Accelerating Innovation from Edge to Cloud
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Presentation v cloud suite 5.1 – what’s new
Presentation v cloud suite 5.1 – what’s newPresentation v cloud suite 5.1 – what’s new
Presentation v cloud suite 5.1 – what’s new
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
ProfitBricks Cloud Computing IaaS An Introduction
ProfitBricks Cloud Computing IaaS An IntroductionProfitBricks Cloud Computing IaaS An Introduction
ProfitBricks Cloud Computing IaaS An Introduction
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
Platform Deep Dive
Platform Deep DivePlatform Deep Dive
Platform Deep Dive
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
IoT Day - Introducing Azure Sphere
IoT Day - Introducing Azure SphereIoT Day - Introducing Azure Sphere
IoT Day - Introducing Azure Sphere
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 

Último

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 

Último (20)

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 

Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx

  • 1. CONFIDENTIAL COMPUTING IN AZURE (ACC) Get confidential with confidential computing Carlo Sacchi - linkedin.com/in/carlo-sacchi Sytac Azure Night | December 2022
  • 2. Who I am • IT Engineer • 20yrs working on IT, starting from 2000 as SysAdmin 🥷 • Approach VMs in early 2010, then cloud in 2015 🥷 • Working as DevOps, always looking for new trends for ITtech 🔭 • Active Certifications: AZ-104, AZ-400, CKA 📝 Sytac Azure Night | December 2022
  • 3. My first speech in a MeetUP Sytac Azure Night | December 2022 D E AT H Z O N E
  • 4. Agenda • Introduction: what is Confidential computing and key concepts; • On Azure; • Consortium; • Costs; • Customers & Market. Sytac Azure Night | December 2022
  • 5. Cloud Customers are increasingly looking for ways to trust as little as possible Full control over the data lifecycle Privacy Regulations and Complaints Customer trust Untrusted collaborations Sytac Azure Night | December 2022
  • 6. Customer’s trust in the cloud today Sytac Azure Night | December 2022
  • 7. Azure Confidential Computing Encrypt inactive data when stored in blob storage, database, etc.. Data in use Protect/encrypt data that is in use, while RAM, and during computation Sytac Azure Night | December 2022 Data at rest Data in Transit Encrypt data that is flowing between untrusted public or private networks E X IS TING ENCRYP TION CONF IDENTIAL COMP UTING Protect against Malicious Hackers Third Parties Privileged admins or insiders Exploting bugs in the Hypervisor/OS Accessing data without customer consent
  • 8. In Azure, confidential computing means… Sytac Azure Night | December 2022 A hardware root-of- trust
  • 9. Share data with multi-party securely CONFIDENTIAL COMPUTING Sytac Azure Night | December 2022 Data in use Protect/encrypt data that is in use, while RAM, and during computation Defense in depth from others Malicous admins Hackers Access without consent Protect customer data from myself&platform Guest/Host OS kernel VM / Host admin Hypervisor Physical hardware access
  • 10. What is Confidential Computing? The protection of data in use by performing computation in a hardware-based Trusted Execution Environment (TEE) (or Enclave) Sytac Azure Night | December 2022 Verifiable assurance for: - Data integrity - Data confidentiality - Code integrity Azure provides - Confidential key management (M-HSM), with SKR - Confidential attestation service - Choice of memory isolated and encrypted TEEs
  • 11. Trusted Execution Environments (TEE) I N T E L S G X A S A N A P P L I C AT I O N E N C L AV E ( S of t w a r e G u a r d e X t e n s i o n s ) Minimize attack surface to CPU Isolates the code and data of a given confidential workload from any other code running in a system with encrypted memory Sytac Azure Night | December 2022 App App Operating System Hypervisor Host OS Hardware TEE
  • 12. Why Confidential VMs? Benefits • A VM that’s confidential • Protection from Azure as the CPS • Doesn’t require access or changes to code • Independent hardware Root of Trust • Full platform attestation on boot • Customer verifiable attestation • Virtual TPM device • Full Disk Encryption • Near general-purpose VM performance Sytac Azure Night | December 2022 Hypervisor Host OS Hardware Virtual Machine Encrypted memory (Confidentiality & Integrity) Customer’s app Attest Execute 1 2
  • 13. Enclaves and Confidential Virtual Machines TEEs Sytac Azure Night | December 2022 Host OS, Hyprv, VMM, … Hardware Hypervisor Host OS Hardware Virtual Machine Encrypted memory (Confidentiality & Integrity) Customer’s app Attest Execute 1 2 Customer’s app Partition app Untrusted part of app Create enclave Attest CallTrusted Biz Logic 1 2 E N C L AV E Trusted part of app Execute Return 3 4 5 6 7 C A L L B R I D G E
  • 14. TEE Foundations Hardware root-of-trust Remote attestation Trusted launch Memory isolation and encryption Secure key management Sytac Azure Night | December 2022
  • 15. Trust Boundary Sytac Azure Night | December 2022
  • 16. Attestation Is how one software environment proves that a specific program is running on particular hardware, proving the trustworthiness of the TEE. 1. Initiated by the TEE when it loads 2. Establish a secure channel and retrieve the secrets Passport / Background Check ‘model’ Sytac Azure Night | December 2022 RATS - Key players and Data flow • Attester • Relying Party/Key Broker Service (KBS) • Verifier (Attestation Service) • Key management service Attester Relying Party Verifier Compare evidence against policy (reference values) Compare attestation result policy Evidence Attestation result
  • 17. Confidential Computing Consortium Blockchain Attestation (dev) external decentralized and provider agnostic Sytac Azure Night | December 2022
  • 18. Confidential computing at Azure Services SQL IaaS on confidential VMs (GA) SQL always encryp with secure enclave (GA) AVD on confidential VMs (Public Preview) Managed HSM (GA) Microsoft Azure Attestation (GA) Azure Confidential Ledger (GA) Containers App enclaves Intel SGX nodes on AKS (GA) Confidential VM AKS worker nodes (GA) Confidential serverless ACI (Limited Preview) Virtual Machines Dca/Eca SEV-SNP VMs (GA) DCsv2/DCsv3/DCds v3 Intel SGX VMs (GA) NCC NVIDIA VMs (Limited Preview) Azure confidential computing offerings cover not just VMs and containers, but also Azure PaaS/SaaS services. Choose a ‘most-secure’ route with control oger every line of code, or an ‘easy button’ route to lift-n-shift existing apps to be confidential Sytac Azure Night | December 2022 New New New New New
  • 19. Customers leveraging Azure CC Sytac Azure Night | December 2022
  • 20. Price Comparision Name Standard_D2_v3 Standard_DC2s_v2 Details Standard is recommended tier D – General purpose compute 2 – VM Size v3 – version Standard is recommended tier D – General purpose compute C – Confidential 2 – VM Size s – Premium Storage capable v2 – version vCPUs 2 2 CPU Architecture x64 x64 Memory 8 GiB 8 GiB Hyper-V Generations V1 V2 *azureprice.net Sytac Azure Night | December 2022 US East US (Virginia) 0.0960 0.1920 US West US 2 (Washington) 0.0960 0.1920 Name Standard_EC2ads_v5 Standard_E2ads_v5 Details Standard is recommended tier E – Optimised for in-memory hyper- threaded applications C – Confidential 2 – The number of vCPUs a – AMD-based processor d – Diskfull (local temp disk is present) s – Premium Storage capable v5 – version Standard is recommended tier E – Optimised for in-memory hyper- threaded applications 2 – The number of vCPUs a – AMD-based processor d – Diskfull (local temp disk is present) s – Premium Storage capable v5 – version vCPUs 2 2 CPU Architecture x64 x64 Memory 16 GiB 16 GiB Hyper-V Generations V1,V2 V1,V2 Azure Compute Units (ACUs) 230 Europe North Europe (Ireland) 0.1610 n/a Europe West Europe (Netherlands) 0.1740 n/a US East US (Virginia) 0.1440 0.1310 US East US 2 (Virginia) n/a 0.1310 US West US (California) 0.1630 n/a
  • 21. Confidential Cloud Recap Sytac Azure Night | December 2022
  • 22. Confidential Computing Market Sytac Azure Night | December 2022
  • 24. Sytac Azure Night | December 2022
  • 25. A confidential feedback 🥷 Sytac Azure Night | December 2022
  • 26. Q & A Sytac Azure Night | December 2022

Notas do Editor

  1. HOW MANY OF YOU HAVE HEARD OF IT? TRY IN 30 MINUTE DESCRIBE SOMETHING COMPLICATED BUT WITH FOCUS ON THE KEY CONCEPT WHY IS IMPORTANT, WHAT ARE THE ADVANTAGES AND WHY CUSTOMER WILL ASK , HOW IT WORKS, AZURE IMPLEMENTATION, SERVICE ACTIVE OR UPCOMING
  2. EVERYBODY KNOW THE POWER OF CLOUD PLATFORM. GLOBABBLY DISTRIBUTED PLATFORM PAY AS U GO, IT’S A VALUE. WHAT THE BASIC PROBLEM?? IS THE ‘TRUST BASE ’CHAIN OF TRUST. NORMALLY MUST BE AS LITTLE AS POSSIBLE, CUSTOMER ASKING BEING SOPHISTICVATED, ASKING PLATOFRM TO DELIVERY THE FULL CONTROL DATA LIFECYCLE THIS IS THE QUESTION BEHIND PRIVACY AND SOVEREIGNTY RULES AND REGULATION COMPLAINTS TO FOLLOW GIVE DATA TO AN AMERICAN CORP IS NOT TRUSTED,. CLUD SHARING BUT NOT TRUST
  3. FOR HOW THE CLOUT PLAT IS DONE THIS IS THE MACRO VIEW, THE MAIN BLOCK OF THE CUSTOMER ENVIRONMENT IN THE CENTER. IF I KEEP SAFE MY BLOCK I’M SAFE. NO. THERE ARE ACTORS AROUND THEY LIVE TO KEEP UP AND RUNNING THE OPERATION, THEORICALLY (BUT PRATICALLY) THEY CAN HAVE ACCESS. IS THERE A WAY TO KEEP THIS DATA SAFE AGAINST EVERYBODY? S THERE SOMETHING THAT ASSURE ME THAT EVERYTHING INSIDE IS REALLY SAFE.
  4. REST AND TRANSIT CAN BE ENOUGH. IF APP MUST READ DATA, DATA SOMEWHERE WILL BE IN CLEAR. IF I VM THERE IS A APP THAT RUN IN KERNEL, CAN ACCESS ZONE OF MEMORY. THE DATA ARE NOT SAFE MELTDOWN SPECTRE THESE HARDWARE VULNERABILITIES ALLOW PROGRAMS TO STEAL DATA WHICH WHILE THEY WERE PROCESSED ON THE COMPUTER CC IS MADE TO RESOLVE THIS THIRD LEG OF THE DATA PROTECTION LIFECYCLE, HOW CAN I PROCECT MY CODE / MY DATA WHILE IS RUNNING IN A SAFE ENVIRONEMT. WHAT MECHANISM I MUST IMPLEMENT
  5. I AZURE CC COM MEANS AND HARDWARE INDEPENDENT ROOT OF TRUST, ROOTED DOWN TO MANYFACTURER CUSTOMER REMOTE ATTESTIATION VERIFICABLE, DATA IS IN CUSTOMER FULLY CONTROL CREATION, USED, TRASPORTATE DELETED. MEMROY ENCRY
  6. WHAT ARE THE BENEFIT. WHE I PRETECT DATA IN MEMORY, 1 I HAVE MEMROY WITH DATA ENCRYPT I PROTECT FROM MALICIUS (CAN’T HAVE ACCESS). 2 REDUCE THE CHAIN OF TRUST TILL I ONLY HAVE TO TRUST MYSELF. NO ONE UNDER ANY CIRCUMSTANCES AND MOMENT CAN’T HAVE ACCESS 3 PUT TOGHETER HOSPITAL DATA, AI / ML SHARED. AGREE EVERYBIODY WITH AN ALGORITM,
  7. CONFIDENTIAL COMPUTING IS THE PROTECTION OF DATA IN USE USING HARDWARE-BASED TRUSTED EXECUTION ENVIRONMENTS (TEE), DURING PROCESSING OR RUNTIME IS AN ENVIRONMENT THAT PROVIDES ASSURANCE OF DATA INTEGRITY, DATA CONFIDENTIALITY AND CODE INTEGRITY. TO SECURE ENTERPRISE DATA, CONFIDENTIAL COMPUTING RUNS IT WITHIN SECURE ENCLAVES THAT ISOLATE DATA AND CODE TO PREVENT UNAUTHORIZED ACCESS, EVEN WHEN THE INFRASTRUCTURE ITSELF IS COMPROMISED TEE NEED HARDWARE NOT SOFTWARE. COMPUTING HARDWARE REQUIRES ENCRYPTION KEYS TO BE DECRYPTED AND EXPOSED IN MEMORY BEFORE USE, LEAVING THEM VULNERABLE TO HACKERS OR INSIDERS.
  8. LET’S SEE A COUPLE OF SCENARIOS. STARNDARD STACK ON CLOUD. APP WITH DATA, ON OS, ON HYOPER ONB HOSTOS ON HARDW. LET’S ASSUME THAT THE APP NEED TO BE SAFE. APP ENTER IN THE TEE, IN THE TEEDATA ARE BRING INSIDE. WHAT HAPPEN IN TEE IS SAFE AGAINST EXTERNAL. SO IF I CAN PROTECT FRM THE STACK, ONLY APP I’M SAFE. IN THIS MODEL APPLICATION WRITTEN SPECIFICALLY FOR THIS PURPOSE NIC, WHY DO A VM DIRECTLY?
  9. YES, SO I DON’T HAVE TO WIRTE APPOSITAL APP. BUT WE HAVE TO TRUST OF OS BUT AS THE PREVIOUS EXAMPLE. STARTING FRM VM EVEYTHING ISIDE IS SAFE. ARE THE OS SAFE? IF WE DON’T TRUS, LET’S GO TO THE FIRST EXAMPLE.
  10. SO THE RECAP, SECOND SCENARIO MY APP IS NOT CHANGED (ENTIRE OS IS IN TEE) IN FIRST SCENARIO THE TRUST IS ONLY FOR THE BRANCH OF APP DATA AND STOP. IN THE SECOND ENTORE OS, BUT IF WE WANT WE CAN CUSTOMIZE MY OS, THE PULL INTO THE CC .
  11. ROOT OF TRUST. TRUST I GIVE TO CPU MANUFACTURER. ROOTED DOWN TO NTEL SGX / AMD / NVIDIA, NOBODY CAN HAVE ACCESS TO THE CONFIDENTIALITY IT’S POSSIBLE TO DO REMOTE ATTESTATION (CRYPTOGRAPHIC PRCCESS) CUSTOMER CAN KNOW IF THE HARDWARE IS OK, VERIFY IF ENVIRONEMTN IS EXACTLY THE WAY YOU EXPECT TO BE . THIS IS DONE BEFORE IF EVERYTHING IS OK WE CAN SPIN UP CC. IN COMBINATION OF ATTESTATION, WE HAVE A TRUSTED LAUNCH OF THE ENCLAVE, STARTING FROM THE BOOT. MEMORY ENCRYTPTION. SO CPU CAN WORK ON MEMORY ENCRUYPTION. KEYS ARE IMPORTANT. AZURE MANAGED HSM RUN IN CC, GIVE SECURE KEYS CAPABILITIES. ENSURE THJAT KEY ARE CLEAN ONLY INSIDE ENCLAVE, ENCRYPTED OUTSIDE
  12. DEPLOY TEE BEFORE ONLY IF YOUR ENVIRONMENT IS IN DESIDER GOOD STATE THE TEE ATTEST ITSELF TO GUEST ATTESTATION LIBRARY, THE RIBRARY CHECK IF IS ON A CONFIDENTIAL HARDWARE, THEN SEND THE RESPONSE TO ATTESTATION SERVICE (AZURE), THAT RESPONSE. IF EVERYTHING IS ON, TEE IS LAUNCHED.
  13. CO-FOUND SEPT 2019
  14. - SQL: CONF SQL AZURE VM. HAVE FULL SQL SERVER INSTALLATION,. LIFT AND SHIF. - PREVIEW AVD WIND 11 - LEDGER: TAMPERPROOF DATA STORAGE BACKED BY BLOCKCHAIN STRUCTURE AND MORE - CONTAINER: CONF SERVERLESS ACI CONTAINERS. NO CODE CHANGE,. LIFT SHIFT CONTAINER. IDEAL CONF AI AND SHOIRT LIVED WORKLOAD - VM TOO
  15. FIREBLOCK IS A PLATFORM THAT PROTECTS DIGITAL ASSETS IN TRANSIT, FOCUSING ON PROTECTING THE TRANSMISSION OF CUSTOMERS' DIGITAL ASSETS BETWEEN EXCHANGES AND CYPTO TOO (BUZZWORD)
  16. ACCORDING WITH MS AND RESEARCER