Microsoft Azure Attestation: Now Generally Available

by | Feb 16, 2021 | Technology | 0 comments

This article is contributed. See the original author and article here.

Azure confidential computing offers a state-of-the-art hardware, software & services platform to protect sensitive customer data in-use while minimizing the Trusted Computing Base (TCB). Customers taking advantage of Azure confidential computing can further strengthen their security posture through use of Azure Attestation, a feature that allows them to verify the compliance of various workloads according to their security policies. If their environment becomes non-compliant with their security policies, the customer can prevent exposure of data.  


Azure Attestation offers a simple PaaS experience to enable customers solve the complicated problem of gaining trust and verifying the identity of an environment before they interact with it. The ability to gain this trust allows customers to develop applications and create business models that require uncompromising trust where they were previously unable to create them — in the cloud.  


What is Azure Attestation?


Azure Attestation is a unified solution that supports attestation of platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as Intel® Software Guard Extensions (SGX) enclaves


 


Azure Attestation receives evidence from an environment, validates it with Azure security standards and user-defined policies, and produces cryptographic proofs (called attestation tokens) for claims-based applications. These tokens enable relying parties to gain confidence in the trustworthiness of the environment, the integrity of the software binaries running inside it and make trust-based decisions to release sensitive data to it. The tokens generated by Azure Attestation can be consumed by services in scenarios such as enclave validation, secure key sharing, and confidential multi-party computation.


Why use Azure Attestation ?


Azure Attestation provides the following benefits:



  • Offers a unified solution for attesting multiple TEEs or platforms backed by TPMs

  • Allows the creation of custom attestation providers and configuration of policies to customize the generation of attestation tokens

  • Provides the ability to securely communicate with the attested platform with the help of data embedded in an attestation token using industry-standard formatting

  • A highly available service with Business Continuity and Disaster Recovery (BCDR) configured across regional pairs


How does Azure Attestation work?


 


The following actors are involved in an Azure Attestation workflow:


Client: The component which collects evidence from an environment and sends attestation requests to Azure Attestation.


Azure Attestation: The component which accepts evidence from the client, validates it with Azure security standards, evaluates it against the configured policy and returns the attestation token to the client.


Relying party: The component which relies on Azure Attestation for remotely attesting the state of an environment supported by the TPM/enclave.


Consider a multi-party data sharing use-case where an organization (relying party) wants to share data with its partners and achieve great insights by running inference models on the aggregated information. To protect data confidentiality while leveraging mutual benefits, data in-use can be encrypted and stored in TEEs like SGX enclaves. However, before giving access to the encrypted content, organizations would like to validate the trust worthiness of the enclave and then securely transfer secrets to the enclave. Azure Attestation enables the remote verification process.


Below is the workflow to perform SGX attestation using custom attestation providers:



  1. User creates an provider using PowerShell/Portal/CLI.  Note that Regional shared attestation providers can be used to perform attestation when there is no requirement for custom policies

  2. Attest URI is returned to the user

  3. Attest URI is shared with the TEE client as a reference to Azure Attestation

  4. The client collects enclave evidence and sends attestation request to Azure Attestation

  5. The service validates the submitted information and evaluates it against a configured policy. If the verification succeeds, it issues an attestation token and returns it to the client

  6. Client sends the attestation token back to the relying party


Getting started with Azure Attestation



  1. To create an attestation provider via Azure portal, click the Create button on the Azure Attestation page in the Azure portal Marketplace menu.


dshugrue_0-1613335725384.png


 


 



  1. Provide a name, location, subscription and resource group and proceed with the creation of your attestation provider.

  2. If needed, upload policy signer certificates file to configure the attestation provider with signed policies. Learn more.


 


dshugrue_1-1613335725394.png


 



  1. Once created, details of the provider can be seen in Overview page.


 


dshugrue_2-1613335725410.png


 



  1. To view the default policy of your attestation provider, select Policy in the left-hand side Resource Menu.


 


dshugrue_3-1613335725421.png


 



  1. To configure a custom policy to meet your requirements, click configure and provide policy information in text/JSON Web Token format and click Save.


 


dshugrue_4-1613335725434.png


 



  1. Click the Refresh button to view the updated policy


Creation and management of attestation providers can also be performed using Command Line Interface (CLI) or Azure PowerShell.


Customer success stories


We are excited to enable multiple scenarios that benefit from Azure Attestation. Some of them include:


SQL Always Encrypted with secure enclaves


“Microsoft Azure Attestation is a key component of a solution for confidential computing provided by Always Encrypted with secure enclaves in Azure SQL Database. Azure Attestation allows database users and applications to attest secure enclaves inside Azure SQL Database are trustworthy and therefore can be confidently used to process queries on sensitive data stored in customer databases.”


– Joachim Hammer, Principal Group PM Manager, Azure SQL


ISV partners


Microsoft also works with platform partners who specialize in creating scalable software running on top of Azure confidential computing environments. Partners like Fortanix, Anjuna and Scone  are already poised to use the services offered by Azure Attestation.


Future roadmap for Azure Attestation


Our long-term aspiration is to partner with people and organizations around the planet to help them achieve more, and more securely with Microsoft Azure Attestation. Azure Attestation will be the one Microsoft service that attests multiple platforms used by Azure customers such as Confidential Containers, Confidential VMs, IoT edge devices and more. We expect Azure Attestation to be the leading cloud service used by customers to establish unconditional trust in infrastructure and runtime across Azure, on-premises and at the edge. Azure Attestation will continue to strengthen customer data governance.


 


Learn more about Azure Attestation


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Submit a Comment