 Welcome to a new episode of Azure Unblock. Today, we're going to talk about Azure Confidential Computing. I'm here with Stefano Tempesta to talk about Azure Confidential Computing. Hi, Stefano. Hi, Thomas. Hi, everybody. Now, great to have you today. We're going to speak about something really interesting and it sounds really cool. It is Azure Confidential Computing. Can you explain a little bit what it is and why we should care about Azure Confidential Computing? Yes. Thanks for having me, first of all. Look, we all know the different states of protection of data, data arrest, and data protected also in transit, right? But there is a first state that not many are familiar with, which is protection of data when it is in use, in memory. Think for a moment. You have your data encrypted in your database or in your file system, then you transfer it into your server or virtual machine containers, whatever is running and it's been processed. At that moment, if someone takes a memory dump, they can actually see the data in clear. Confidential Computing is about protecting that memory space with hardware-based encryption. Okay. That is awesome. That makes it very clear. As you said, we have obviously encryption at rest and when data is in transit, we can encrypt obviously using HTTPS or VPN connections or whatever. Confidential Computing really helps us when data is actually processed and is in the memory. This is super interesting. What are the typical use cases in customers like using this? Obviously, I personally would use it, but I'm sure you have even more interesting use cases to share. Yes. Look, the Azure Cloud obviously is super secure. We already have very strong confidence in the security measures in Azure. But this is an extra level of protection, especially for organization in the public like government or financial institutes, health care. These are the typical domains where we see customers demanding asking for confidential computing. Why? Simply because this is extremely confidential data. They even don't want the Cloud provider to have access. I mean, I'm not saying obviously that Microsoft in this case will have access to customer data, but sometimes there is some telemetry that we take from additional support or analytics on customer data without even reading it. In this case, confidential computing prevents even the Cloud provider from accessing these data that is processed in these black boxes. Trusted execution environment is completely isolated with hardware encryption, as I mentioned, that no one can access, not even the Cloud provider. This is interesting. I remember I had a conversation with one of these large companies and what I remember exactly was this conversation that Microsoft, obviously, we have stuff in place so we cannot really access customer data, right? But these are also processes and all these boundaries. But even they had some regulations telling them this is not enough, right? They need to have an additional technology layer of protection to actually really protect that data. So really not even in the Cloud provider can access it or if there is a suspicious activity going on to access that. So confidential computing is great in that case. And I'm happy that we have that. Speaking of that, so obviously the next thing I'm really interested in is about, this is obviously a great technology, but how can I use it? Like, is it an Azure service in general? Can I use it for different Azure services? Is it for virtual machines or does Azure confidential computing actually line up with Azure? Excellent question. Show me the confidential computing, right? And it's actually easier than most of people think it is because to say, oh, do we have to do something special? Well, yes and no. Confidential computing is hardware encryption. So it is based on a special CPUs by Intel or AMD. And they are available in the Azure portal. So if you are after a confidential virtual machines or containers, you can use the normal tools that you normally use for provisioning infrastructure, including PowerShell or any other infrastructure as code tool and provision your services. What's the difference? Well, you have to select some specific families for virtual machines that are based on these special CPUs that have the extension for encryption of data in use. Everything is fully documented, obviously, in our docs. So just make sure that during the provisioning of a virtual machine or containers, which are based on AKS, so the traditional Azure Kubernetes services, you pick the specific confidential service. Even SQL database in Azure has an extension called Always Encrypted with Secure Enclave. It's such a big name just to say that this is a confidential database. So a special version of a SQL server, no server is a managed service. So SQL database in Azure with the Always Encrypted capability running inside the Secure Enclave. People will hear sometimes this Secure Enclave terminology. It's another way to say a trusted execution environment, which is a memory space encrypted with these special CPUs. So just go through the Azure portal and you will find all the confidential services already there. Okay, this is awesome. So I can actually use it for past services like Azure SQL, for example, I can use there the Secure Enclaves, but I can also, like if I have applications, which I just simply install in a virtual machine or as you said, container, I can actually just, like without modifying the code, just by selecting the right virtual machine type, I can actually take advantage of that. Is that correct? Correct. A satellite, yes. Awesome. Now, this is great. And I mean, we talk from time to time, right? And you know, I'm a big hybrid guy. I'm always interested in see what we have in the hybrid space. So you talked about Azure confidential computing in Azure, obviously, but since we have a lot of customers also in hybrid cloud environments, so they need to run applications and servers and others as stuff in their own data center or at edge locations, how can we leverage or can we leverage Azure confidential computing there as well? So the answer is yes, but be careful. First of all, running confidential computing in general, it is possible even outside of Azure cloud as long as the service provider is part of the confidential computing consortium. This is a Linux foundation. Microsoft is one of the co-founders of this consortium along with Intel, AMD, but there is also Google and a lot of other providers. And if the service is under the sort of governance and guidelines of this consortium is confidentialcomputing.io, the website, then yes, you are doing confidential computing. Other cloud providers may not be in the confidential computing consortium, so they are not offering confidential computing capabilities. They may have different ways of protecting data which is not part of this consortium. So this is one aspect that I typically recommend customers. I keep an eye on this because everything in this consortium is the official confidential computing and also it's a sort of guarantee that the services are provided without a vendor lock-in with open source frameworks. So it's sort of a guarantee that you're not tied you in to provider technology. So first aspect to consider. And then there is the aspect of we can run confidential computing also at the edge. This can be IoT devices, Azure confidential computing has also capability for running a confidential IoT. Or it can be also on-premises. It's not gonna be in Azure, obviously, but as long as the hardware support this encryption at CPU level, you are running the protection that you need also on-premises. Okay, that is pretty great that I not just can take advantage of confidential computing in Azure, but also outside of Azure. And that also what I really find is important that it's not that you have any vendor lock-in by using it, right? So that is- And look, we call it Azure confidential computing because we offer obviously out of Azure. But the market, the industry terminology is just confidential computing. And I said that there is the consortium working and looking after it. So it is a brand. It is a standard, a bit like saying HTTPS. No one owns HTTPS, right? But there are obviously different providers that offer the service. The same for confidential computing. No, that is great. But now this discovery is really a very interesting point here. So by that, where do you see the future going of confidential computing and maybe also especially like Azure confidential computing? Can you tell us a little bit about what you see where the industry is heading and where we are heading as Microsoft? Yeah, so look, as I said, the consortium is setting a lot of directions and guidelines, best practices. The aspiration, the vision here is to create a confidential cloud where you don't have to bother about selecting a service that is confidential and another one that is not. Why we cannot have everything confidential? At the end there is extra protection that would benefit anybody in any case. So the road ahead is a confidential cloud and edge, an end-to-end experience where you are protected at any state of your data being protected. Rest in transit and when processed, when it is in memory. The important thing to understand also is that you're not only protecting your data with confidential computing, you're also protecting your applications because when it is in memory, it's not just data, it's also your application, your code that is running in a process, in a thread, in memory. So if you have, for example, a machine learning algorithm with a specific algorithm that you want to protect, confidential computing will protect also your application from reverse engineering, for example. So that's where we are heading to. We are heading into making a confidential computing pervasive anywhere in cloud and edge capability. So you have a protection every day 100% with no extra effort, extra challenges. I love that vision and I absolutely, I never thought of having, like also obviously applications protected, like the application code for your intellectual property, right? You also want to protect that. Basically you want to have everything protected. And I love where you see this going that I have this end-to-end protection in terms of like a data address, transit, but then compute-wise in the cloud, but also at the edge. So really exciting times. And yeah, I hope it looks like, and I really think it's a good idea to have that become like at one point the standard, like just the default basically how we do things. So this is pretty cool. Yeah, it's a truth. So obviously now for people like me who are now interested in that and want to learn more, where do we go? Look, we have plenty of documentation on the Azure portal with instructions how to get started with virtual machines, containers on AKS, SQL. We have also confidential ledger, which is super powerful because you can protect your transaction logs in an immutable ledger, keeping the confidentiality of your data as well. And there are open source frameworks for different programming languages, for building confidential machine learning. So the offering is rich. The best way to start is really from the Azure Confidential Computing landing page on the Azure portal. It's super easy. Just search in your preferred search engine for Azure Confidential Computing and it will come up at the top of the search result or go to the alias, to the URL, aka.ms slash Azure CC for Confidential Computing. Job done. That's awesome. Now, thank you very much. And again, I will definitely use Bing to find Azure Confidential Computing. And for everyone else, we obviously have the links in the description. So what I want to say, thank you Stefano for your time today. That was really helpful and I'm really looking forward to do more with Azure Confidential Computing. And for everyone watching, thank you very much for watching and I hope to see you in the next one. Thanks Thomas. Thanks everybody. Bye.