Azure SQL Database Gets More Secure with Secure Enclaves

Security is a longstanding priority for Microsoft across its products and offerings. In fact, SQL Server has pro­duced the fewest security vulnerabilities of all the major database platforms for many years, beating industry stalwarts such as Oracle and MySQL. One area where Microsoft is extending its lead in security is the Azure SQL cloud-based database platform.

An important new set of features for security and confidential computing was announced at the recent Microsoft Ignite virtual conference and are now in public preview. Although the name doesn’t exactly trip off your tongue, Always Encrypted with Secure Enclaves offers important new capabilities for orga­nizations that need greater control and security over their data while also enjoying the agility, scalability, and productivity gains of the public cloud.

What is Always Encrypted with Secure Enclaves?

One of the big challenges of confidential computing is that the administrators of most systems have full privileges to access and read that data, even when that level of access is inappro­priate. So that means in a typical client-driven application, the DBA(s) can read sensitive data such as salaries, HIPAA pro­tected medical data, PII, financial information, and other con­fidential kinds of data. For many years, workarounds were both extremely complex and very costly to deploy, if not downright impractical.

In earlier releases, we have Always Encrypted, a feature in SQL Server and Azure SQL Database that provides the ability to pro­cess queries using encrypted data without exposing that data to highly privileged database users, such as the DBA. This feature works using deterministic encryption, based on simple point lookup, searches, and equality joins on encrypted data housed within your SQL Server or Azure SQL database.

Always Encrypted with Secure Enclaves takes that early approach to security and confidentiality up a whole new level. With this new release, we can now set aside a protected region of memory within the SQL database engine to act as a trusted execution environment for the processing of sensitive data, thus a “secure enclave.” Furthermore, a secure enclave is a black box to the rest of the database engine. You cannot view any code or data inside the enclave without the proper ciphertext, even if you had a debugger. That way, the enclave securely decrypts data that it needs, processes queries and computations on the data, then returns data to the client in a secure fashion.

In database processing with secure enclaves, a Transact-SQL statement is parsed and deter­mined to include or exclude any encrypted data that requires use of the secure enclave or not. When the parser determines that a secure enclave is involved, a couple of new steps are introduced into processing the query. First, the client driver sends the quired column encryption keys to the secure enclave via a secure channel, submit­ting them to the query processor. Then, during query processing, the database engine delegates cryptographic operations or computation upon encrypted columns to the secure enclave. Where needed, the enclave can decrypt the data and then perform its computations and data processing on the plaintext. But neither the data nor the column encryption keys are exposed in plaintext outside of the secure enclave.

When you deploy an Azure SQL Database running Always Encrypted with Secure Enclaves, you get two main bene­fits. First, your queries are easier and more flexible, allowing more syntax such as range comparisons using BETWEEN or pattern matching using LIKE. Second, the encryption hap­pens automatically within the secure enclave, enabling you to avoid difficult kludges such as moving data outside of the encrypted database.

Batteries Not Included

This feature set is available in the newest release of on-prem­ise SQL Server 2019 (15.x). In this situation, you’ll need Vir­tualization Based Security (VBS) secure memory enclaves, a.k.a. Virtual Secure Mode or VSM enclaves. In the same way, it is not available with pre-existing Azure SQL Database SKUs. Instead, you’ll need to use the new DC-series of Azure hardware, which is also in preview. (Details at azure/azure-sql/database/service-tiers-vcore#dc-series.) That’s because a secure enclave makes use of Intel’s Software Guard Extensions (Intel SGX) hardware and is a prerequisite to use the feature.

Next steps

For more information and to get started with Always Encrypted with secure enclaves, go to­cryptedEnclavesAzureSQLDB.