The new product, called Azure confidential computing, placed customer information in a virtual enclave, essentially a black box that keeps anyone outside the customer — including Microsoft itself — from accessing the data.

Share story

Microsoft, working with chipmaker Intel, is offering a cloud-computing service with more powerful encryption to secure data from hackers – and protect it from secret government data-gathering.

Called Azure confidential computing, the technology encrypts data while it is in use – which is when most security breaches occur, according to Azure Chief Technology Officer Mark Russinovich. The new product works by placing customer information in a virtual enclave, essentially a black box that keeps anyone outside the customer — including Microsoft itself — from accessing the data. That can keep cyberthieves, malicious insiders and governments from getting in without customer authorization.

The new service also means that Microsoft won’t have the capability to turn over unencrypted data in response to government warrants and subpoenas without customer involvement, an issue at the heart of a current Microsoft lawsuit against the U.S. government fighting the requirement to turn over client data, sometimes without the customer’s knowledge.

The confidential computing service is intended to reassure customers that are considering moving data and applications to Microsoft’s cloud that the switch will not open them up to hacks, spying and secret subpoenas.  While many companies worldwide have grown more willing to move even sensitive data to internet-based computing in the past few years, some unease about security and privacy persists.

“They can be sure that they can’t do any better than this on their own premises,” Russinovich said. “This data is completely protected from us and from any attackers.”

Azure confidential computing, which has entered a preview phase with initial customers, will offer two ways to create these secure enclaves. One is based on Microsoft’s own server software, while the other uses Intel chips with that company’s built-in security features. Intel unveiled this sort of data-enclave capability for desktop machines in 2015 but hadn’t planned to offer it for the servers that underpin cloud networks for several years. Russinovich persuaded the chipmaker to speed that up, said Rick Echevarria, an Intel vice president and general manager of the platform security division. The Intel technology isn’t exclusive to Microsoft and will be sold to other customers.

Customers remain on edge about network security after massive and damaging high-profile attacks on companies like online portal Yahoo, retailer Target, entertainment conglomerate Sony, the Democratic National Committee and most recently credit-reporting company Equifax, whose recent breach put the personal data of as much as half of the U.S. population at risk. Those companies were storing the data on their own networks rather than with the big cloud providers such as Microsoft, Alphabet’s Google and market leader Between customer needs and the ever-evolving skills of hackers seeking to penetrate networks, Microsoft and its rivals have been rushing to add layers of security.

Google has been working on its own chips, called Titan, that offer a different type of security against hackers in cloud networks. That effort makes sure that when machines boot up, every piece of Google software is valid and hasn’t been tampered with.

Intel and Microsoft will also probably take the new technology to the server computers that companies use in their own data centers, referred to as on-premise computing, Intel’s Echevarria said. Hacks like Equifax make that a critical need.

“As a cybersecurity professional, it’s very tough to read the news every morning,” he said.