Microsoft recently announced the general availability of Azure Attestation, a unified solution for remotely verifying the trustworthiness of a platform and the integrity of the binaries running inside it.
Azure Assestation service is a part of Microsoft's Azure confidential computing efforts that offers hardware, software & services to protect sensitive customer data in-use while minimizing the Trusted Computing Base (TCB). Microsoft started with its confidential computing efforts a few years ago and, since 2019, joined the Confidential Computing Consortium - which is committed to collaborating with the industry to deliver a more secure computing infrastructure. Other members of this consortium include Google, Intel, and Red Hat.
Azure Assestation is a Platform as a Service (PaaS) that supports attestation of platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as Intel Software Guard Extensions (SGX) enclaves and Virtualization-based Security (VBS) enclaves.
Sindhuri Dittakavi, program manager, Cloud & AI Security at Microsoft, explains in a Microsoft Security and Compliance blog post how Attestion works:
An attestation provider is a service endpoint of Azure Attestation that provides REST contract. You can choose to use the regional shared providers or create your own custom provider. Attestation provider comes with a default policy for each supported attestation type. Azure Attestation also lets you enforce custom rules in your custom provider via a configurable policy. If configured, an attestation policy is used to process the attestation evidence and determines whether the service shall issue an attestation token.
The benefits for customers using Azure Attestation include:
- An available solution for attesting multiple TEEs or platforms backed by TPMs
- The ability to leverage regional shared attestation providers to simplify the attestation process without the need for additional configuration
- The creation of custom attestation providers and configuration of policies to customize attestation token generation
- The ability to securely communicate with the attested platform with the help of data embedded in an attestation token using industry-standard formatting
- Highly available service with Business Continuity and Disaster Recovery (BCDR) configured across regional pairs
Regarding the release of Azure Attestation, Holger Mueller, principal analyst and vice president at Constellation Research Inc., told InfoQ:
The cloud is ramping up security, and zero trust and confidential computing are the new true North for safe operations of cloud resources. Microsoft's new Azure Attestation Service is a crucial advancement for Azure, enabling enterprises to trust new server and services landscapes sooner and easier than before. It's a critical step to make cloud security more tangible and achievable.
In addition, Karl Ots, Microsoft regional director and Azure MVP, with years of security experience, told InfoQ:
Trusted execution environments provide mathematical certainty for the confidentiality of highly sensitive data input, sharing, and analysis. I'm looking forward to how the release of Azure Attestation and Open Enclave will support the digitalization of regulated industries such as healthcare.
Azure Attestation service is available at no additional cost in some regions.