Carlo Sacchi gave a presentation on confidential computing in Azure (ACC). He discussed key concepts like trusted execution environments (TEEs) that protect data in use through hardware-based isolation. Azure provides confidential computing options like confidential virtual machines and confidential key management. The Confidential Computing Consortium is working to standardize the technology across platforms. Early customers are leveraging ACC for sensitive workloads requiring high levels of data security and privacy.
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
With a minimum security baseline in place, you can host data—which means data protection is required. In this session, we discuss defining an encryption strategy and selecting native AWS tools (AWS KMS, AWS CloudHSM) or third-party tools; defining key rotation and key protection mechanisms; and defining data at rest and data in transit protection requirements.
Speaker: Nathan Case - Sr. Solutions Architect, AWS
This is the presentation for the lecture of Dimitar Mitov "Data Analytics with Dremio" (in Bulgarian), part of OpenFest 2022: https://www.openfest.org/2022/bg/full-schedule-bg/
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
With a minimum security baseline in place, you can host data—which means data protection is required. In this session, we discuss defining an encryption strategy and selecting native AWS tools (AWS KMS, AWS CloudHSM) or third-party tools; defining key rotation and key protection mechanisms; and defining data at rest and data in transit protection requirements.
Speaker: Nathan Case - Sr. Solutions Architect, AWS
This is the presentation for the lecture of Dimitar Mitov "Data Analytics with Dremio" (in Bulgarian), part of OpenFest 2022: https://www.openfest.org/2022/bg/full-schedule-bg/
In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.
View the On-demand webinar: https://www2.gotomeeting.com/register/187735186
As cloud computing continues to gather speed, organizations with years’ worth of data stored on legacy on-premise technologies are facing issues with scale, speed, and complexity. Your customers and business partners are likely eager to get data from you, especially if you can make the process easy and secure.
Challenges with performance are not uncommon and ongoing interventions are required just to “keep the lights on”.
Discover how Snowflake empowers you to meet your analytics needs by unlocking the potential of your data.
Agenda of Webinar :
~Understand Snowflake and its Architecture
~Quickly load data into Snowflake
~Leverage the latest in Snowflake’s unlimited performance and scale to make the data ready for analytics
~Deliver secure and governed access to all data – no more silos
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup AppliancesVeritas Technologies LLC
Together, NetBackup 8.0 and 8.1 are perhaps the two most significant consecutive releases in NetBackup history. Attend this session to learn how the newly released NetBackup 8.1 builds on version 8.0 to deliver the promise of modern data protection and advanced information management like never before. This session will feature a detailed technical overview of the new security architecture in NetBackup 8.1 that keeps data secure across any network, new dedupe to the cloud capabilities that deliver industry-leading performance, instant recovery for Oracle, added support for virtual and next-gen workloads, faster and easier deployments, and many other new features and capabilities.
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMRightScale
As public cloud storage services mature, it becomes easier to make apples-to-apples comparisons. We drill down on the latest specs and features for object, block, archival, and file storage across AWS, Azure, Google, and IBM. We also compare prices for a variety of storage scenarios.
Community Builder session on Amazon EKS and how to enforce Security controls on top of it. This deep dive on the core difference with EC2 security model as long as the native integration with other AWS Security Services
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
Presentation of OpenStack survey to Internet Research Lab at National Taiwan University, Taiwan. OpenStack framework and architecture overview. (ppt slide for download.) Materials collected from various resources, not originally produced by the author.
Briefly explained Nova, Swift, Glance, Keystone, and Quantum.
In this session we take an in-depth look into the Apache Atlas open metadata and governance function.
Open metadata and governance is a moon-shot type of project to create a set of open APIs, types, and interchange protocols to allow all metadata repositories to share and exchange metadata. From this common base, it adds governance, discovery, and access frameworks to automate the collection, management, and use of metadata across an enterprise. The result is an enterprise catalog of data resources that are transparently assessed, governed, and used in order to deliver maximum value to the enterprise.
Apache Atlas is the reference implementation of the Open Metadata and Governance standards and framework (https://cwiki.apache.org/confluence/display/ATLAS/Open+Metadata+and+Governance). This function will enable an Apache Atlas server to synchronize and query metadata from any open metadata-compliant metadata repository.
In this session we will cover how Open Metadata and Governance works. This includes: (1) the key components in Atlas, (2) the different integration patterns and APIs that vendors can use to integrate their technology into the open metadata ecosystem, and (3) how common metadata use cases such as searching for data sets, managing security (through Atlas/Ranger integration), and automated metadata discovery work in the active ecosystem.
Speaker
Mandy Chessell, Distinguished Engineer, IBM
From the outset, Oracle has delivered the industry's most advanced technology to safeguard data where it lives—in the database. Oracle provides a comprehensive portfolio of security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance for both Oracle and non-Oracle Databases. With Oracle's powerful database activity monitoring and blocking, privileged user and multi-factor access control, data classification, transparent data encryption, consolidated auditing and reporting, secure configuration management, and data masking, customers can deploy reliable data security solutions that do not require any changes to existing applications, saving time and money.
SSL certificates in the Oracle Database without surprisesNelson Calero
Presentation delivered on UKOUG conference in December 2019.
Abstract: Nowadays database installations are required to use secure connections to communicate with clients, from connecting to the database listener to interact with external services (for example to send emails from the database).
Also since a couple of years ago, it has been required to use stronger protocols like TLS 1.2 (SHA2 algorithm), which requires extra configuration in older database releases.
This presentation shows how SSL certificates work from a DBA perspective, which tools are available and examples of configuring and troubleshooting their usage from the Oracle database. It also explores the implications and how to implement TLS 1.2 and common errors found in real life usage.
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss best practices for securing your Kubernetes deployments on AWS. We cover how to use AWS IAM with Kubernetes role-based access control (RBAC) for new or existing Kubernetes deployments, and we dive deep into how Amazon EKS implements secure cluster configuration by default.
Azure Arc offers simplified management, faster app development, and consistent Azure services. Easily organize, govern, and secure Windows, Linux, SQL Server, and Kubernetes clusters across data centers, the edge, and multicloud environments right from Azure. Architect, design, and build cloud-native apps anywhere without sacrificing central visibility and control. Get Azure innovation and cloud benefits by deploying consistent Azure data, application, and machine learning services on any infrastructure.
Gain central visibility, operations, and compliance
Centrally manage a wide range of resources including Windows and Linux servers, SQL server, Kubernetes clusters, and Azure services.
Establish central visibility in the Azure portal and enable multi-environment search with Azure Resource Graph.
Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.
Delegate access and manage security policies for resources using role-based access control (RBAC) and Azure Lighthouse.
Organize and inventory assets through a variety of Azure scopes, such as management groups, subscriptions, resource groups, and tags.
Learn more about hybrid and multicloud management in the Microsoft Cloud Adoption Framework for Azure.
Windows Server 2016 offers huge improvements for Active Directory scalability and UI, which we'll talk about in detail. Don't miss a demo session on using Active Directory PowerShell History Viewer and the new graphic user interface for Active Directory Recycle Bin and fine-grained password policy features!
The number of internet-connected devices is growing exponentially, enabling an increasing number of edge applications in environments such as smart cities, retail, and industry 4.0. These intelligent solutions often require processing large amounts of data, running models to enable image recognition, predictive analytics, autonomous systems, and more. Increasing system workloads and data processing capacity at the edge is essential to minimize latency, improve responsiveness, and reduce network traffic back to data centers. Purpose-built systems such as Supermicro’s short-depth, multi-node SuperEdge, powered by 3rd Gen Intel® Xeon® Scalable processors, increase compute and I/O density at the edge and enable businesses to further accelerate innovation.
Join this webinar to discover new insights in edge-to-cloud infrastructures and learn how Supermicro SuperEdge multi-node solutions leverage data center scale, performance, and efficiency for 5G, IoT, and Edge applications.
As cloud computing continues to gather speed, organizations with years’ worth of data stored on legacy on-premise technologies are facing issues with scale, speed, and complexity. Your customers and business partners are likely eager to get data from you, especially if you can make the process easy and secure.
Challenges with performance are not uncommon and ongoing interventions are required just to “keep the lights on”.
Discover how Snowflake empowers you to meet your analytics needs by unlocking the potential of your data.
Agenda of Webinar :
~Understand Snowflake and its Architecture
~Quickly load data into Snowflake
~Leverage the latest in Snowflake’s unlimited performance and scale to make the data ready for analytics
~Deliver secure and governed access to all data – no more silos
Deep Dive: a technical insider's view of NetBackup 8.1 and NetBackup AppliancesVeritas Technologies LLC
Together, NetBackup 8.0 and 8.1 are perhaps the two most significant consecutive releases in NetBackup history. Attend this session to learn how the newly released NetBackup 8.1 builds on version 8.0 to deliver the promise of modern data protection and advanced information management like never before. This session will feature a detailed technical overview of the new security architecture in NetBackup 8.1 that keeps data secure across any network, new dedupe to the cloud capabilities that deliver industry-leading performance, instant recovery for Oracle, added support for virtual and next-gen workloads, faster and easier deployments, and many other new features and capabilities.
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMRightScale
As public cloud storage services mature, it becomes easier to make apples-to-apples comparisons. We drill down on the latest specs and features for object, block, archival, and file storage across AWS, Azure, Google, and IBM. We also compare prices for a variety of storage scenarios.
Community Builder session on Amazon EKS and how to enforce Security controls on top of it. This deep dive on the core difference with EC2 security model as long as the native integration with other AWS Security Services
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
Presentation of OpenStack survey to Internet Research Lab at National Taiwan University, Taiwan. OpenStack framework and architecture overview. (ppt slide for download.) Materials collected from various resources, not originally produced by the author.
Briefly explained Nova, Swift, Glance, Keystone, and Quantum.
In this session we take an in-depth look into the Apache Atlas open metadata and governance function.
Open metadata and governance is a moon-shot type of project to create a set of open APIs, types, and interchange protocols to allow all metadata repositories to share and exchange metadata. From this common base, it adds governance, discovery, and access frameworks to automate the collection, management, and use of metadata across an enterprise. The result is an enterprise catalog of data resources that are transparently assessed, governed, and used in order to deliver maximum value to the enterprise.
Apache Atlas is the reference implementation of the Open Metadata and Governance standards and framework (https://cwiki.apache.org/confluence/display/ATLAS/Open+Metadata+and+Governance). This function will enable an Apache Atlas server to synchronize and query metadata from any open metadata-compliant metadata repository.
In this session we will cover how Open Metadata and Governance works. This includes: (1) the key components in Atlas, (2) the different integration patterns and APIs that vendors can use to integrate their technology into the open metadata ecosystem, and (3) how common metadata use cases such as searching for data sets, managing security (through Atlas/Ranger integration), and automated metadata discovery work in the active ecosystem.
Speaker
Mandy Chessell, Distinguished Engineer, IBM
From the outset, Oracle has delivered the industry's most advanced technology to safeguard data where it lives—in the database. Oracle provides a comprehensive portfolio of security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance for both Oracle and non-Oracle Databases. With Oracle's powerful database activity monitoring and blocking, privileged user and multi-factor access control, data classification, transparent data encryption, consolidated auditing and reporting, secure configuration management, and data masking, customers can deploy reliable data security solutions that do not require any changes to existing applications, saving time and money.
SSL certificates in the Oracle Database without surprisesNelson Calero
Presentation delivered on UKOUG conference in December 2019.
Abstract: Nowadays database installations are required to use secure connections to communicate with clients, from connecting to the database listener to interact with external services (for example to send emails from the database).
Also since a couple of years ago, it has been required to use stronger protocols like TLS 1.2 (SHA2 algorithm), which requires extra configuration in older database releases.
This presentation shows how SSL certificates work from a DBA perspective, which tools are available and examples of configuring and troubleshooting their usage from the Oracle database. It also explores the implications and how to implement TLS 1.2 and common errors found in real life usage.
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss best practices for securing your Kubernetes deployments on AWS. We cover how to use AWS IAM with Kubernetes role-based access control (RBAC) for new or existing Kubernetes deployments, and we dive deep into how Amazon EKS implements secure cluster configuration by default.
Azure Arc offers simplified management, faster app development, and consistent Azure services. Easily organize, govern, and secure Windows, Linux, SQL Server, and Kubernetes clusters across data centers, the edge, and multicloud environments right from Azure. Architect, design, and build cloud-native apps anywhere without sacrificing central visibility and control. Get Azure innovation and cloud benefits by deploying consistent Azure data, application, and machine learning services on any infrastructure.
Gain central visibility, operations, and compliance
Centrally manage a wide range of resources including Windows and Linux servers, SQL server, Kubernetes clusters, and Azure services.
Establish central visibility in the Azure portal and enable multi-environment search with Azure Resource Graph.
Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.
Delegate access and manage security policies for resources using role-based access control (RBAC) and Azure Lighthouse.
Organize and inventory assets through a variety of Azure scopes, such as management groups, subscriptions, resource groups, and tags.
Learn more about hybrid and multicloud management in the Microsoft Cloud Adoption Framework for Azure.
Windows Server 2016 offers huge improvements for Active Directory scalability and UI, which we'll talk about in detail. Don't miss a demo session on using Active Directory PowerShell History Viewer and the new graphic user interface for Active Directory Recycle Bin and fine-grained password policy features!
The number of internet-connected devices is growing exponentially, enabling an increasing number of edge applications in environments such as smart cities, retail, and industry 4.0. These intelligent solutions often require processing large amounts of data, running models to enable image recognition, predictive analytics, autonomous systems, and more. Increasing system workloads and data processing capacity at the edge is essential to minimize latency, improve responsiveness, and reduce network traffic back to data centers. Purpose-built systems such as Supermicro’s short-depth, multi-node SuperEdge, powered by 3rd Gen Intel® Xeon® Scalable processors, increase compute and I/O density at the edge and enable businesses to further accelerate innovation.
Join this webinar to discover new insights in edge-to-cloud infrastructures and learn how Supermicro SuperEdge multi-node solutions leverage data center scale, performance, and efficiency for 5G, IoT, and Edge applications.
Enter The Matrix Securing Azure’s AssetsBizTalk360
This talk is mainly on the security aspects of Azure, in any context. you’ll get an overview on where security is handled, some practices and how to monitor and act accordingly to certain threats and issues. It will focus on IaaS, PaaS and SaaS. As security is an integral part of an environment, the integration aspect is not far away. Focus products include Azure and all related services.
High Performance Object Storage in 30 Minutes with Supermicro and MinIORebekah Rodriguez
The Supermicro Cloud DC is the perfect combination of performance, reliability, craftsmanship and flexibility for deploying MinIO object storage. MinIO on the Cloud DC platform outperforms and is more cost-effective than equivalently-sized hardware from other manufacturers. We recently benchmarked a cluster of four Cloud DC servers with NVMe drives and measured an impressive 42.57 GB/s average read (GET) throughput and 24.69 GB/s average write (PUT) throughput. This first class performance demonstrates that MinIO on Supermicro Cloud DC is a compelling solution for object storage intensive workloads such as advanced analytics, AI/ML and other modern, cloud-native applications.
In this webinar, you will learn:
Best use cases and deployment considerations for MinIO object storage
How to design and size a MinIO object storage cluster on Supermicro Cloud DC
How to deploy a distributed MinIO cluster onto a Cloud DC server cluster
Watch the Webinar: https://www.brighttalk.com/webcast/17278/519401
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
ProfitBricks Cloud Computing IaaS An IntroductionProfitBricks
An introduction to ProfitBricks Cloud Computing IaaS. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool for visual control over the cloud and the best price/performance value available. ProfitBricks was named one of the coolest cloud providers of 2015 by CRN and was also the recipient of two CODiE awards and a Frost & Sullivan Cloud innovation award for 2014.
Up-front design of your AWS account can be done in a way that creates a reliably secure and controlled environment no matter how the AWS resources are used. This session will focus on "Secure by Design" principles and show how an AWS environment can be configured to provide a reliable operational security control capability to meet the compliance needs across multiple industry verticals (e.g. HIPAA, FISMA, PCI, etc.). This will include operational reporting through the use of AWS services (e.g. Config/Config Rules, CloudTrail, Inspector, etc.) as well as partner integration capabilities with partner solutions such as Splunk and Allgress for real-time governance, risk, and compliance reporting. Key takeaways from this session include: learning AWS Security best practices and automation capabilities for securing your environment, Automation accelerators for configuration, compliance, and audit reporting using CloudFormation, Config/Config Rules, CloudTrail, Inspector, etc., and ISV integration for real-time notification and reporting for security, compliance, and auditing in the cloud.
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit
Since companies are moving their data to the cloud, security has become a hot topic. How do we securely store sensitive data? Where do we store our encryption keys? These are just 2 of the many questions that are concerning the modern companies. In this presentation, Tom Kerkhove will introduce you to the concepts of Microsoft Azure Key Vault.
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove
Security has become more and more important as we move to the cloud and countries & companies are being hacked – remember the Sony hack? But how do we securely store sensitive data such as connection strings to our databases? Where do we store our encryption keys? Can I share them with my customers? How do I prevent abuse of my secrets and block them from doing so?
That’s what this session is all about – I will introduce you to the concepts of Microsoft Azure Key Vault where you can use this as it allows you to securely store keys, credentials and other secrets in the cloud. We will also have a look at how it enables us to store encryption keys for SQL Server TDE and how it can help you safeguard your cloud solutions even more.
An important use-case for Vault is to provide short lived and least privileged Cloud credentials. In this webinar we will review specifically how Vault's Azure Secrets Engine can provide dynamic Azure credentials. We will cover details on how to configure the Azure Secrets Engine in Vault and use it in an application. If you are using Azure now or in the near future, join us for some patterns on maintaining a high security posture with Vault's dynamic credentials model!
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Similar to Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx (20)
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
1. CONFIDENTIAL COMPUTING
IN AZURE (ACC)
Get confidential with confidential computing
Carlo Sacchi - linkedin.com/in/carlo-sacchi
Sytac Azure Night | December 2022
2. Who I am
• IT Engineer
• 20yrs working on IT, starting from 2000 as SysAdmin 🥷
• Approach VMs in early 2010, then cloud in 2015 🥷
• Working as DevOps, always looking for new trends for ITtech 🔭
• Active Certifications: AZ-104, AZ-400, CKA 📝
Sytac Azure Night | December 2022
3. My first speech in a MeetUP
Sytac Azure Night | December 2022
D
E
AT
H
Z
O
N
E
4. Agenda
• Introduction: what is Confidential computing and key concepts;
• On Azure;
• Consortium;
• Costs;
• Customers & Market.
Sytac Azure Night | December 2022
5. Cloud Customers are
increasingly looking
for ways to trust as
little as possible
Full control
over the data
lifecycle
Privacy
Regulations
and
Complaints
Customer
trust
Untrusted
collaborations
Sytac Azure Night | December 2022
7. Azure Confidential Computing
Encrypt inactive data when
stored in blob storage,
database, etc..
Data in use
Protect/encrypt data that is in
use, while RAM, and during
computation
Sytac Azure Night | December 2022
Data at rest Data in Transit
Encrypt data that is flowing
between untrusted public or
private networks
E X IS TING
ENCRYP TION
CONF IDENTIAL
COMP UTING
Protect against
Malicious Hackers Third Parties
Privileged admins or insiders Exploting bugs in the Hypervisor/OS Accessing data without customer consent
8. In Azure, confidential computing means…
Sytac Azure Night | December 2022
A
hardware
root-of-
trust
9. Share data with
multi-party securely
CONFIDENTIAL
COMPUTING
Sytac Azure Night | December 2022
Data in use Protect/encrypt data that is in use, while RAM, and during computation
Defense in depth
from others
Malicous
admins
Hackers
Access without
consent
Protect customer data
from myself&platform
Guest/Host OS
kernel
VM / Host admin
Hypervisor
Physical hardware
access
10. What is Confidential Computing?
The protection of data in use by performing
computation in a hardware-based Trusted Execution
Environment (TEE) (or Enclave)
Sytac Azure Night | December 2022
Verifiable assurance for:
- Data integrity
- Data confidentiality
- Code integrity
Azure provides
- Confidential key management (M-HSM), with SKR
- Confidential attestation service
- Choice of memory isolated and encrypted TEEs
11. Trusted Execution
Environments (TEE)
I N T E L S G X A S A N A P P L I C AT I O N E N C L AV E
( S of t w a r e G u a r d e X t e n s i o n s )
Minimize attack surface to CPU
Isolates the code and data of a given
confidential workload from any other
code running in a system with
encrypted memory
Sytac Azure Night | December 2022
App App
Operating System
Hypervisor
Host OS
Hardware
TEE
12. Why Confidential VMs?
Benefits
• A VM that’s confidential
• Protection from Azure as the CPS
• Doesn’t require access or changes to code
• Independent hardware Root of Trust
• Full platform attestation on boot
• Customer verifiable attestation
• Virtual TPM device
• Full Disk Encryption
• Near general-purpose VM performance
Sytac Azure Night | December 2022
Hypervisor
Host OS
Hardware
Virtual Machine
Encrypted memory
(Confidentiality & Integrity)
Customer’s app
Attest
Execute
1
2
13. Enclaves and Confidential Virtual Machines TEEs
Sytac Azure Night | December 2022
Host OS, Hyprv, VMM, …
Hardware
Hypervisor
Host OS
Hardware
Virtual Machine
Encrypted memory
(Confidentiality & Integrity)
Customer’s app
Attest
Execute
1
2
Customer’s app
Partition app
Untrusted
part of app
Create enclave
Attest
CallTrusted
Biz Logic
1
2
E N C L AV E
Trusted
part of app
Execute
Return
3
4
5
6
7
C
A
L
L
B
R
I
D
G
E
16. Attestation
Is how one software environment
proves that a specific program is
running on particular hardware,
proving the trustworthiness of the
TEE.
1. Initiated by the TEE when it loads
2. Establish a secure channel and
retrieve the secrets
Passport / Background Check
‘model’
Sytac Azure Night | December 2022
RATS - Key players and Data flow
• Attester
• Relying Party/Key Broker Service (KBS)
• Verifier (Attestation Service)
• Key management service
Attester
Relying
Party
Verifier
Compare evidence
against policy
(reference values)
Compare attestation
result policy
Evidence
Attestation
result
18. Confidential
computing at Azure
Services
SQL IaaS on
confidential VMs
(GA)
SQL always encryp
with secure enclave
(GA)
AVD on confidential
VMs
(Public Preview)
Managed HSM
(GA)
Microsoft Azure
Attestation
(GA)
Azure Confidential
Ledger
(GA)
Containers App enclaves Intel
SGX nodes on AKS
(GA)
Confidential VM
AKS worker nodes
(GA)
Confidential
serverless ACI
(Limited Preview)
Virtual
Machines Dca/Eca SEV-SNP
VMs
(GA)
DCsv2/DCsv3/DCds
v3 Intel SGX VMs
(GA)
NCC NVIDIA VMs
(Limited Preview)
Azure confidential computing
offerings cover not just VMs and
containers, but also Azure
PaaS/SaaS services.
Choose a ‘most-secure’ route with
control oger every line of code, or
an ‘easy button’ route to lift-n-shift
existing apps to be confidential
Sytac Azure Night | December 2022
New New
New
New
New
20. Price Comparision
Name Standard_D2_v3 Standard_DC2s_v2
Details Standard is recommended tier
D – General purpose compute
2 – VM Size
v3 – version
Standard is recommended tier
D – General purpose compute
C – Confidential
2 – VM Size
s – Premium Storage capable
v2 – version
vCPUs 2 2
CPU Architecture x64 x64
Memory 8 GiB 8 GiB
Hyper-V Generations V1 V2
*azureprice.net
Sytac Azure Night | December 2022
US East US (Virginia) 0.0960 0.1920
US West US 2
(Washington)
0.0960 0.1920
Name Standard_EC2ads_v5 Standard_E2ads_v5
Details Standard is recommended tier
E – Optimised for in-memory hyper-
threaded applications
C – Confidential
2 – The number of vCPUs
a – AMD-based processor
d – Diskfull (local temp disk is present)
s – Premium Storage capable
v5 – version
Standard is recommended tier
E – Optimised for in-memory hyper-
threaded applications
2 – The number of vCPUs
a – AMD-based processor
d – Diskfull (local temp disk is present)
s – Premium Storage capable
v5 – version
vCPUs 2 2
CPU Architecture x64 x64
Memory 16 GiB 16 GiB
Hyper-V Generations V1,V2 V1,V2
Azure Compute Units (ACUs) 230
Europe North Europe
(Ireland)
0.1610 n/a
Europe West Europe
(Netherlands)
0.1740 n/a
US East US (Virginia) 0.1440 0.1310
US East US 2 (Virginia) n/a 0.1310
US West US (California) 0.1630 n/a
HOW MANY OF YOU HAVE HEARD OF IT?
TRY IN 30 MINUTE DESCRIBE SOMETHING COMPLICATED BUT WITH FOCUS ON THE KEY CONCEPT
WHY IS IMPORTANT, WHAT ARE THE ADVANTAGES
AND WHY CUSTOMER WILL ASK ,
HOW IT WORKS, AZURE IMPLEMENTATION,
SERVICE ACTIVE OR UPCOMING
EVERYBODY KNOW THE POWER OF CLOUD PLATFORM.
GLOBABBLY DISTRIBUTED PLATFORM PAY AS U GO, IT’S A VALUE.
WHAT THE BASIC PROBLEM??IS THE ‘TRUST BASE ’CHAIN OF TRUST.
NORMALLY MUST BE AS LITTLE AS POSSIBLE,
CUSTOMER ASKING BEING SOPHISTICVATED, ASKING PLATOFRM TO DELIVERY THE FULL CONTROL DATA LIFECYCLE
THIS IS THE QUESTION BEHIND
PRIVACY AND SOVEREIGNTY RULES AND REGULATION COMPLAINTS TO FOLLOW
GIVE DATA TO AN AMERICAN CORP IS NOT TRUSTED,.
CLUD SHARING BUT NOT TRUST
FOR HOW THE CLOUT PLAT IS DONE THIS IS THE MACRO VIEW,
THE MAIN BLOCK OF THE CUSTOMER ENVIRONMENT IN THE CENTER.
IF I KEEP SAFE MY BLOCK I’M SAFE. NO.
THERE ARE ACTORS AROUND THEY LIVE TO KEEP UP AND RUNNING THE OPERATION,
THEORICALLY (BUT PRATICALLY) THEY CAN HAVE ACCESS.
IS THERE A WAY TO KEEP THIS DATA SAFE AGAINST EVERYBODY?
S THERE SOMETHING THAT ASSURE ME THAT EVERYTHING INSIDE IS REALLY SAFE.
REST AND TRANSIT CAN BE ENOUGH.
IF APP MUST READ DATA, DATA SOMEWHERE WILL BE IN CLEAR.
IF I VM THERE IS A APP THAT RUN IN KERNEL, CAN ACCESS ZONE OF MEMORY. THE DATA ARE NOT SAFE
MELTDOWN SPECTRE THESE HARDWARE VULNERABILITIES ALLOW PROGRAMS TO STEAL DATA WHICH WHILE THEY WERE PROCESSED ON THE COMPUTER
CC IS MADE TO RESOLVE THIS THIRD LEG OF THE DATA PROTECTION LIFECYCLE,
HOW CAN I PROCECT MY CODE / MY DATA WHILE IS RUNNING IN A SAFE ENVIRONEMT.
WHAT MECHANISM I MUST IMPLEMENT
I AZURE CC COM MEANS
AND HARDWARE INDEPENDENT ROOT OF TRUST, ROOTED DOWN TO MANYFACTURER
CUSTOMER REMOTE ATTESTIATION VERIFICABLE,
DATA IS IN CUSTOMER FULLY CONTROL CREATION, USED, TRASPORTATE DELETED.
MEMROY ENCRY
WHAT ARE THE BENEFIT. WHE I PRETECT DATA IN MEMORY,
1 I HAVE MEMROY WITH DATA ENCRYPT I PROTECT FROM MALICIUS (CAN’T HAVE ACCESS).
2 REDUCE THE CHAIN OF TRUST TILL I ONLY HAVE TO TRUST MYSELF. NO ONE UNDER ANY CIRCUMSTANCES AND MOMENT CAN’T HAVE ACCESS
3 PUT TOGHETER HOSPITAL DATA, AI / ML SHARED. AGREE EVERYBIODY WITH AN ALGORITM,
CONFIDENTIAL COMPUTING IS THE PROTECTION OF DATA IN USE USING HARDWARE-BASED TRUSTED EXECUTION ENVIRONMENTS (TEE), DURING PROCESSING OR RUNTIME
IS AN ENVIRONMENT THAT PROVIDES ASSURANCE OF DATA INTEGRITY, DATA CONFIDENTIALITY AND CODE INTEGRITY.
TO SECURE ENTERPRISE DATA, CONFIDENTIAL COMPUTING RUNS IT WITHIN SECURE ENCLAVES THAT ISOLATE DATA AND CODE TO PREVENT UNAUTHORIZED ACCESS,
EVEN WHEN THE INFRASTRUCTURE ITSELF IS COMPROMISED
TEE NEED HARDWARE NOT SOFTWARE.
COMPUTING HARDWARE REQUIRES ENCRYPTION KEYS TO BE DECRYPTED AND EXPOSED IN MEMORY BEFORE USE, LEAVING THEM VULNERABLE TO HACKERS OR INSIDERS.
LET’S SEE A COUPLE OF SCENARIOS.
STARNDARD STACK ON CLOUD. APP WITH DATA, ON OS, ON HYOPER ONB HOSTOS ON HARDW.
LET’S ASSUME THAT THE APP NEED TO BE SAFE. APP ENTER IN THE TEE, IN THE TEEDATA ARE BRING INSIDE. WHAT HAPPEN IN TEE IS SAFE AGAINST EXTERNAL.
SO IF I CAN PROTECT FRM THE STACK, ONLY APP I’M SAFE.
IN THIS MODEL APPLICATION WRITTEN SPECIFICALLY FOR THIS PURPOSE
NIC, WHY DO A VM DIRECTLY?
YES, SO I DON’T HAVE TO WIRTE APPOSITAL APP. BUT WE HAVE TO TRUST OF OS
BUT AS THE PREVIOUS EXAMPLE. STARTING FRM VM EVEYTHING ISIDE IS SAFE.
ARE THE OS SAFE? IF WE DON’T TRUS, LET’S GO TO THE FIRST EXAMPLE.
SO THE RECAP, SECOND SCENARIO MY APP IS NOT CHANGED (ENTIRE OS IS IN TEE)
IN FIRST SCENARIO THE TRUST IS ONLY FOR THE BRANCH OF APP DATA AND STOP.
IN THE SECOND ENTORE OS, BUT IF WE WANT WE CAN CUSTOMIZE MY OS, THE PULL INTO THE CC .
ROOT OF TRUST. TRUST I GIVE TO CPU MANUFACTURER. ROOTED DOWN TO NTEL SGX / AMD / NVIDIA, NOBODY CAN HAVE ACCESS TO THE CONFIDENTIALITY
IT’S POSSIBLE TO DO REMOTE ATTESTATION (CRYPTOGRAPHIC PRCCESS) CUSTOMER CAN KNOW IF THE HARDWARE IS OK, VERIFY IF ENVIRONEMTN IS EXACTLY THE WAY YOU EXPECT TO BE . THIS IS DONE BEFORE IF EVERYTHING IS OK WE CAN SPIN UP CC.
IN COMBINATION OF ATTESTATION, WE HAVE A TRUSTED LAUNCH OF THE ENCLAVE, STARTING FROM THE BOOT.
MEMORY ENCRYTPTION. SO CPU CAN WORK ON MEMORY ENCRUYPTION.
KEYS ARE IMPORTANT. AZURE MANAGED HSM RUN IN CC, GIVE SECURE KEYS CAPABILITIES. ENSURE THJAT KEY ARE CLEAN ONLY INSIDE ENCLAVE, ENCRYPTED OUTSIDE
DEPLOY TEE BEFORE ONLY IF YOUR ENVIRONMENT IS IN DESIDER GOOD STATE
THE TEE ATTEST ITSELF TO GUEST ATTESTATION LIBRARY, THE RIBRARY CHECK IF IS ON A CONFIDENTIAL HARDWARE, THEN SEND THE RESPONSE TO ATTESTATION SERVICE (AZURE), THAT RESPONSE. IF EVERYTHING IS ON, TEE IS LAUNCHED.
CO-FOUND SEPT 2019
- SQL: CONF SQL AZURE VM. HAVE FULL SQL SERVER INSTALLATION,. LIFT AND SHIF.- PREVIEW AVD WIND 11
- LEDGER: TAMPERPROOF DATA STORAGE BACKED BY BLOCKCHAIN STRUCTURE AND MORE
- CONTAINER: CONF SERVERLESS ACI CONTAINERS. NO CODE CHANGE,. LIFT SHIFT CONTAINER. IDEAL CONF AI AND SHOIRT LIVED WORKLOAD- VM TOO
FIREBLOCK IS A PLATFORM THAT PROTECTS DIGITAL ASSETS IN TRANSIT, FOCUSING ON PROTECTING THE TRANSMISSION OF CUSTOMERS' DIGITAL ASSETS BETWEEN EXCHANGES AND CYPTO TOO (BUZZWORD)