Scribd
Upload
23 views6 pages

Azure VM Security Types

The document discusses Azure VM security types, focusing on Confidential Computing, which protects data in use through hardware-based Trusted Execution Environments (TEEs). It outlines two approaches: VMs with application enclaves and VM-level confidentiality, highlighting technologies like AMD SEV and Intel SGX. Limitations of Confidential Computing include the lack of memory dump capabilities, certain recovery scenarios, and potential additional costs for encrypted virtual machine guest state storage.

Uploaded by

Prasanna Nirmal Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
23 views6 pages

Azure VM Security Types

The document discusses Azure VM security types, focusing on Confidential Computing, which protects data in use through hardware-based Trusted Execution Environments (TEEs). It outlines two approaches: VMs with application enclaves and VM-level confidentiality, highlighting technologies like AMD SEV and Intel SGX. Limitations of Confidential Computing include the lack of memory dump capabilities, certain recovery scenarios, and potential additional costs for encrypted virtual machine guest state storage.

Uploaded by

Prasanna Nirmal Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Azure VM Security Types

Trusted Launch of Azure VMs


Understanding Confidential
Computing
•Azure Confidential computing is defined
by Confidential Computing Consortium
which is a foundation dedicated to
defining and accelerating the adoption of
confidential computing

•The protection of data in use by


performing computations in a hardware-
based, attested Trusted Execution
Environment (TEE)

•A TEE enforces execution of only


authorized code. – Cloud Provider,
External Agents, other Tenants cannot
tamper with the data.
How Confidential
Computing in Azure
Works
The confidential computing uses the latest improvements
available in the CPU Architecture by the manufactures while
using the CPU-state confidentiality and data integrity with
the help virtualization extensions rather the OS
Side(Hypervisor) there by increasing the CPU, memory
performance and Security overall.

The two different approaches

1. VMs with application enclaves


2. VM-level confidentiality
Comparison of the different
Approaches

•AMD Secure Encrypted Virtualization (SEV) -- AMD Secure Nested Paging


(SNP)/Intel Trust Domain Extensions (INTEL TDX)
•Intel Software Guard Extensions (SGX)
Basic Overview of the improved CPU Technologies
and their integration SGX APP

OS

HYPERVISOR

CPU

HOST

Protection against VM Admins, In


App Code Change Required OS Malwares
Application Intel SGX
Enclaves

No App Code Change Integrity Assurance by Protection Against DC


Encrypting the Memory Admins, Hypervisors and the
AMD SEV- (RAM using AES) and underlying Service
Confidential VMs
SNP/Intel Processor Registry
TDX

Root Kit
Trusted Launch

GEN 2 is based on UEFI (Unified Extensible Firmware Interface) rather than BIOS. Gen2 Brings
many features along with vTPM (Virtual Trusted Platform Modules) with TPM 2.0 Specs

Secure boot helps in the integrity against rootkit


Limitation of Confidential
Computing
•https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-
overview#limitations

Memory Dump
No, this capability doesn't exist for confidential VMs.

Recovery And Microsoft Support


Various recovery and support scenarios aren't available for confidential
VMs.

Cost
Confidential VMs use a small encrypted virtual machine guest state
(VMGS) disk of several megabytes. VMGS encapsulates the VM security state of
components such the vTPM and UEFI bootloader. This disk might result in a
monthly storage fee

You might also like