Azure Attestation

  • Author: Ronald Fung

  • Creation Date: 1 June 2023

  • Next Modified Date: 1 June 2024


A. Introduction

Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as Intel® Software Guard Extensions (SGX) enclaves, Virtualization-based Security (VBS) enclaves, Trusted Platform Modules (TPMs), Trusted launch for Azure VMs and Azure confidential VMs.

Attestation is a process for demonstrating that software binaries were properly instantiated on a trusted platform. Remote relying parties can then gain confidence that only such intended software is running on trusted hardware. Azure Attestation is a unified customer-facing service and framework for attestation.

Azure Attestation enables cutting-edge security paradigms such as Azure Confidential computing and Intelligent Edge protection. Customers have been requesting the ability to independently verify the location of a machine, the posture of a virtual machine (VM) on that machine, and the environment within which enclaves are running on that VM. Azure Attestation will empower these and many additional customer requests.

Azure Attestation receives evidence from compute entities, turns them into a set of claims, validates them against configurable policies, and produces cryptographic proofs for claims-based applications (for example, relying parties and auditing authorities).

Azure Attestation supports both platform- and guest-attestation of AMD SEV-SNP based Confidential VMs (CVMs). Azure Attestation-based platform attestation happens automatically during critical boot path of CVMs, with no customer action needed. For more details on guest attestation, see Announcing general availability of guest attestation for confidential VMs.


B. How is it used at Seagen

As a biopharma research company using Microsoft Azure, you can use Azure Attestation to verify the integrity of your computing environment and ensure that only trusted code is running on your virtual machines. Here are some ways you can use Azure Attestation:

  1. Verify the integrity of your virtual machines: You can use Azure Attestation to verify that the virtual machines running in your environment are running trusted code and have not been tampered with.

  2. Enforce security policies: You can use Azure Attestation to enforce security policies that require all code running on your virtual machines to be signed and attested, ensuring that only trusted code is running.

  3. Secure your supply chain: You can use Azure Attestation to secure your software supply chain by verifying the integrity of all code that is deployed to your virtual machines.

  4. Comply with regulations: You can use Azure Attestation to comply with regulatory requirements that require you to verify the integrity of your computing environment and ensure that only trusted code is running.

  5. Use with Azure Kubernetes Service: You can use Azure Attestation with Azure Kubernetes Service to verify the integrity of your Kubernetes workloads and ensure that only trusted code is running.

Overall, Azure Attestation provides a powerful tool for verifying the integrity of your computing environment and ensuring that only trusted code is running on your virtual machines. By leveraging the scalability, security, and performance of the service, you can secure your supply chain, enforce security policies, and comply with regulations to improve the security and integrity of your computing environment.


C. Features

Azure Attestation is a cloud-based service that allows you to verify the integrity of your computing environment and ensure that only trusted code is running on your virtual machines. Here are some of the key features of Azure Attestation:

  1. Secure boot verification: Azure Attestation provides secure boot verification, which allows you to verify that the firmware and boot loader on your virtual machines have not been tampered with.

  2. Code signing verification: Azure Attestation provides code signing verification, which allows you to verify that all code running on your virtual machines is signed and attested.

  3. Trusted launch verification: Azure Attestation provides trusted launch verification, which allows you to verify that all software components running on your virtual machines have been signed and attested.

  4. Integration with Azure services: Azure Attestation can integrate with other Azure services, such as Azure Kubernetes Service, to verify the integrity of your Kubernetes workloads and ensure that only trusted code is running.

  5. Compliance with regulations: Azure Attestation can help you comply with regulatory requirements that require you to verify the integrity of your computing environment and ensure that only trusted code is running.

  6. Secure supply chain: Azure Attestation can help you secure your software supply chain by verifying the integrity of all code that is deployed to your virtual machines.

  7. Scalability and performance: Azure Attestation provides scalability and performance, allowing you to verify the integrity of large numbers of virtual machines and code components.

Overall, Azure Attestation provides a powerful tool for verifying the integrity of your computing environment and ensuring that only trusted code is running on your virtual machines. By leveraging the scalability, security, and performance of the service, you can secure your supply chain, enforce security policies, and comply with regulations to improve the security and integrity of your computing environment.


D. Where Implemented

LeanIX


E. How it is tested

Testing Azure Attestation involves verifying that the service is properly configured and that it is effectively verifying the integrity of your computing environment and ensuring that only trusted code is running on your virtual machines. Here are some steps you can take to test Azure Attestation:

  1. Verify configuration: Verify that Azure Attestation is properly configured and integrated with your Azure account and resources.

  2. Test secure boot verification: Test Azure Attestation by verifying that secure boot verification is properly configured and that the firmware and boot loader on your virtual machines have not been tampered with.

  3. Test code signing verification: Test Azure Attestation by verifying that code signing verification is properly configured and that all code running on your virtual machines is signed and attested.

  4. Test trusted launch verification: Test Azure Attestation by verifying that trusted launch verification is properly configured and that all software components running on your virtual machines have been signed and attested.

  5. Test integration with Azure services: Test Azure Attestation by verifying that it can integrate with other Azure services, such as Azure Kubernetes Service, to verify the integrity of your Kubernetes workloads and ensure that only trusted code is running.

  6. Test compliance with regulations: Test Azure Attestation by verifying that it can help you comply with regulatory requirements that require you to verify the integrity of your computing environment and ensure that only trusted code is running.

  7. Test performance and scalability: Test Azure Attestation by verifying that it provides high performance and scalability, allowing you to verify the integrity of large numbers of virtual machines and code components.

Overall, testing Azure Attestation involves verifying that the service is properly configured and that it is effectively verifying the integrity of your computing environment and ensuring that only trusted code is running on your virtual machines. By testing Azure Attestation, you can ensure that you are effectively using the service to secure your supply chain, enforce security policies, and comply with regulations, and that you are benefiting from the scalability, security, and performance capabilities it provides.


F. 2023 Roadmap

????


G. 2024 Roadmap

????


H. Known Issues

Like any software or service, there may be known issues or limitations with Azure Attestation that users should be aware of. Here are some of the known issues with Azure Attestation:

  1. Limited compatibility with certain virtual machine configurations: Azure Attestation may not be compatible with all virtual machine configurations, which can limit the ability of users to verify the integrity of their computing environment.

  2. Limited support for certain operating systems: Azure Attestation may not support all operating systems, which can limit the ability of users to verify the integrity of their virtual machines.

  3. Cost: Azure Attestation can be expensive for users with limited budgets, particularly if they need to verify the integrity of a large number of virtual machines.

  4. Limited customization: Azure Attestation has limited customization options, which can limit the ability of users to configure the service to their specific needs.

  5. Security and compliance concerns: Users must ensure that they are properly securing and protecting sensitive data when using Azure Attestation, particularly when verifying the integrity of third-party code components.

Overall, while Azure Attestation offers a powerful tool for verifying the integrity of your computing environment and ensuring that only trusted code is running on your virtual machines, users must be aware of these known issues and take steps to mitigate their impact. This may include carefully configuring the service to meet the specific needs of their data, carefully monitoring the cost and performance of the service to ensure that it is a good fit for their data requirements, and carefully verifying the integrity of all third-party code components to ensure that they are effectively using Azure Attestation to secure their supply chain, enforce security policies, and comply with regulations. By taking these steps, users can ensure that they are effectively using Azure Attestation to improve the security and integrity of their computing environment and ensure that only trusted code is running on their virtual machines.


[x] Reviewed by Enterprise Architecture

[x] Reviewed by Application Development

[x] Reviewed by Data Architecture