Azure Kubernetes Service Now Supports Confidential Containers


Microsoft this week announced the public preview of support for confidential computing nodes in Azure Kubernetes Service (AKS).

One of the big tech companies to have affirmed commitment to computing confidentiality, Microsoft made Azure Confidential Computing generally available earlier this year, and also expanded the availability of secure VMs.

The availability of confidential containers on AKS is yet another step Microsoft is taking toward moving computing from ‘in the clear’ to ‘confidential’.

“The public preview of confidential computing nodes powered by the Intel SGX DCsv2 SKU with Azure Kubernetes Service brings us one step closer by securing data of cloud native and container workloads. This release extends the data integrity, data confidentiality and code integrity protection of hardware-based isolated Trusted Execution Environments (TEE) to container applications,” the company says.

Confidential computing on Azure ensures that data is encrypted while in use, courtesy of a hardware-based TEE. Thus, software can run on top of the protected environment to keep code and data hidden from view or modifications.

Microsoft also notes that developers have multiple application architecture options to choose from, depending whether their preferred model offers a faster path to confidentiality or increased control.

“The confidential nodes on AKS support both architecture models and will orchestrate confidential application and standard container applications within the same AKS deployment. Also, developers can continue to leverage existing tooling and dev ops practices when designing highly secure end-to-end applications,” the tech company explains.

So far during the preview period, most developers adopted confidential computing by selecting an existing unmodified docker container application and a partner to move an existing application into a container that leverages confidential computing infrastructure.

According to Microsoft, the reason many took this path was either because it provided them with faster access to confidentiality or because it ensures container IP is protected through encryption and identity verification is available in the enclave and clients can verify server thumbprint.

Other developers chose to have full control of the code in the enclave through containers that leverage Open Enclave SDK, Intel SGX SDK or a framework such as the Confidential Consortium Framework (CCF). Furthermore, Confidential Inferencing with ONNX is available for AI/ML developers, who can bring pre-trained ML models to AKS, Microsoft says.

“Confidential computing, through its isolated execution environment, has broad potential across use cases and industries; and with the added improvements to the overall security posture of containers with its integration to AKS, we are excited and eager to learn more about what business problems you can solve,” the company concludes.

Related: Google Announces Confidential GKE Nodes, General Availability of Confidential VMs

Related: Microsoft Announces New Security Features for Devs, Customers

Related: Microsoft, Google Announce Wider Availability of Secure VMs

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *