SAN DIEGO – Microsoft is driving confidential computing data protection into Kubernetes workloads to help organizations migrate more of their data to cloud environments.
Lachlan Evenson, principal program manager for Microsoft Azure, said during a keynote address at this week’s Kubecon + CloudNativeCon North America 2019 event that the cloud giant’s move provides “security down to the chip.” This involves tapping into Intel’s Software Guard Extension (SGX) platform to support confidential computing data protection for Kubernetes workloads. The move should reduce the barrier for enterprises looking to run mission-critical workloads in a Kubernetes environment.
He said that organizations that have hesitated to move mission-critical workloads to a container or Kubernetes environment can now “move them with confidence.” Evenson explained in an accompanying blog post that it also provides an additional layer of protection from potentially malicious insiders at a cloud provider, reduces the chances of data leaks, and may help address some regulatory compliance needs.
The Microsoft move builds on Intel’s SGX, which is a hardware-based technology that isolates specific application code and data to run in private regions of memory — or enclaves — thus protecting select code and data from disclosure or modification. It also uses Microsoft’s Open Enclave SDK, which is an open source framework that allows developers to build trusted execution environment (TEE) applications using a single enclaving abstraction.
The deployment models starts with using the Open Enclave SDK for confidential computing in code. Then a user creates a Kubernetes cluster on hardware that supports the Intel SGX, conveniently like the DC-series virtual machines (VMs) that it uses in some of its data centers. The workload can then be scheduled as a resource for Kubernetes where it can use the Open Enclave SDK on hardware that supports TEE.
Evenson said the end result surpasses security efforts from platforms like Google’s gVisor and Amazon Web Services’ (AWS) Firecracker that can handle security at some layers like the operating system and hypervisor. “What is often overlooked is the hardware underneath,” he said.
The enhanced Kubernetes clusters can run on top of the base DC-series platform for no additional charge.
Gaining Confidence
Confidential computing has become an important topic as data moves between an enterprise’s IT environments — and encryption becomes a necessity, not just a nice thing to have. The concept is that in order to secure workloads as they move between on-premises data centers, public clouds, and the edge, data needs to be encrypted at rest, in transit, and in use. Of these three lifecycle stages, encrypting data in use is the most challenging.
Confidential computing addresses this and enables encrypted data to be processed in memory without exposing it to the rest of the system. This reduces exposure for sensitive data and provides greater control and transparency for users.
Intel and Microsoft recently donated open source code aspects of their respective platforms into the Linux Foundation as basis for the newly formed Confidential Computing Consortium. Other founding members included Alibaba, Arm, Baidu, Google Cloud, IBM, Red Hat, Swisscom, and Tencent. Evenson pointed to that effort as a way to accelerate the adoption of confidential computing.