When it comes to encryption and data we solved different problems. Since the invention of algorithms like DES, 3DESand/or AES symmetric encryption is something we understand and can solve. With RSA and Diffie-Helman key management and key exchange can be implemented with reasonable management overhead.
This led to solid and trusted implementations of encryption at rest and encryption in transit – and this was more or less good enough for decades now as we ran more or less single-workload computers or at least we owned and controlled them. When we started to outsource our infrastructure, we addressed the problem that a third-party could access in-memory data through processes and contracts. This is a limitation we do not want to bring to the cloud.
One solution to encryption in use could be homomorphic encryption – in other words, computation on encrypted data with encrypted results and it will never be decrypted in between. So, we keep the processor and memory outside the encryption border if you will. This is a very interesting concept but currently still fails to scale. We need environments that scale for huge workloads.
This is the scenario confidential computing targets. It provides a protected, confidential enclave where you can run your (verifiable) code in. This happens in such a way that processes from the outside cannot access the data within the enclave.
This technology will come to Azure and gives us in this context the final piece of the puzzle to protect customer workloads. Read more in Mark Russinovich’s blog post: Azure confidential computing