Everyone's moving to the cloud – here's how to keep your data secure while it's there
For corporate IT managers, there are many motivations to move dynamic workloads to the cloud. It provides an irresistible trifecta of flexibility, scalability, and costs savings for those managing varying workloads.
The past year of widespread shutdowns caused by COVID-19 have increased this demand. That's one reason the global cloud computing market size is expected to grow from $371.4 billion in 2020 to $832.1 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 17.5%, according to Research and Markets.
While cloud deployments benefit CISOs and security administrators in many ways, they often don't suppress a critical attack vector — protecting data in use. Data exists at rest when it's stored, in transit when moving through the network, and in use as it's being processed. Data is often encrypted in the first two states, but not while processed.
"Security is an evolving journey and an evolving conversation, but confidential computing is going to be a big part of that future." -Vikas Bhatia, Head of Product for Azure Confidential Computing at Microsoft
That's where the confidential computing approach offered by Always Encrypted with secure enclaves in Azure SQL comes in, plugging that final "in use" security gap. It does this by isolating computations to a hardware-based trusted execution environment (TEE), which provides a protected container by securing a portion of the processor and memory. Users run software inside the protected environment to shield portions of code and data from view, preventing modification outside the TEE.
Always Encrypted is a client-side technology that ensures that sensitive data stored in specific database columns (for example, credit card numbers, national identification numbers) are never revealed to the SQL Server on Azure Virtual Machines, or Azure SQL Database, a managed cloud database. This defense includes protection against database administrators or other privileged users, including cloud providers, who are authorized to access the database to perform management tasks but have no business need to access the information in the encrypted columns.
"You have a hardware-backed guarantee that your data will not be exposed to any of the attack vectors such as your own database administrator, bugs in the guest or host operating system, or even the hypervisor that your workload is running on," said Vikas Bhatia Head of Product for Azure Confidential Computing at Microsoft.. "Your data is safe and completely within your control."
The power of secure enclaves
Always Encrypted enables the Database Engine to process some queries on encrypted data while preserving the confidentiality of the data at a column granularity. The data is decrypted from encrypted database columns only for processing by client applications with access to the encryption key. While current database systems provide sophisticated access control mechanisms and encryption support for data-at-rest, they do not protect the data against attackers with administrative privileges on the database or on the server that hosts the database.
Always Encrypted works using secure enclaves, a protected region of memory within the Database Engine process that can contain plaintext data. The secure enclave appears as an opaque box to the rest of the Database Engine and other processes on the hosting machine. There is no way to view any data or code inside the enclave from the outside, even with a debugger. These properties make the secure enclave a trusted execution environment that can safely access cryptographic keys and sensitive data in plaintext, without compromising data confidentiality.
Always Encrypted used by a wide variety of customers requiring confidentiality and governmental rules compliance, from financial institutions (such as Royal Bank of Canada, Financial Fabric) to insurance companies and health care organizations. These customers use Always Encrypted mostly for online transactional processing applications and encrypt only personally identifiable identifier (PII) columns such as social security numbers, names, email addresses, and credit card numbers.
That's an essential advantage. "With these businesses, their entire infrastructure is built on trust," Bhatia noted. "So security must not just be part of their technical foundation but part of their essence. Always Encrypted allows them to do that."
Azure confidential computing can also be scaled horizontally, meaning that it offers the ability to increase capacity by connecting multiple hardware or software entities so that they work as a single logical unit. Conversely, vertical scaling means that you scale by adding more power (CPU, RAM) to an existing machine.
"Security is an evolving journey and an evolving conversation," Bhatia said. "But confidential computing is going to be a big part of that future."