Such an approach could offer a boost to cancer research, for example, by allowing data drawn from multiple providers to be analysed in the cloud without leaking individual data sets to parties that shouldn’t have access to it.
“This is just going to become a fundamental defence-in-depth for protection of any customer data,” the CTO said.
“Even if they’re comfortable with having it in the cloud, this provides another level of protection around that data. As the technology becomes more accessible, you’ll see this become, I think, the standard way that everybody processes their most sensitive data in a cloud environment.”
Microsoft also has an internal prototype of a new version of SQL Server’s Always Encrypted feature based on the enclave concept. “It puts the SQL query engine inside of the enclave,” Russinovich said.
“A customer then can get an assurance that it is SQL Server running inside of that and then release keys that will allow the SQL query engine to decrypt the customer’s data – so pull in that data encrypted and then perform queries on it.
“That SQL query processor is protected by the enclave from the surrounding environment. If you take a look at what was possible before with the first versions of SQL Always Encrypted, you could encrypt data as it went into your SQL database, but the SQL query engine — because it only saw encrypted data — cannot perform rich queries on it, for example a range query.”
“With this new version of Always Encrypted based on enclaves, if you release the key to decrypt that column to the SQL query processor, then you can perform rich computations on top of it,” he added.