%3CLINGO-SUB%20id%3D%22lingo-sub-2598108%22%20slang%3D%22en-US%22%3ESecure%20a%20web%20app%20architecture%20with%20Azure%20confidential%20computing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2598108%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EIn%20this%20post%2C%20we%E2%80%99ll%20show%20you%20how%20to%20build%20a%20Personal%20Identifiable%20Information%20(PII)%20-%20protecting%20web%20application%20architecture%20using%20Azure%20confidential%20computing%20(ACC).%20ACC%20completes%20your%20traditional%20cloud%20privacy%20with%20protections%20for%20%3CSTRONG%3Edata%20in%20use%3C%2FSTRONG%3E%20based%20on%20state-of-the-art%20hardware%20available%20in%20Azure%20today.%3C%2FEM%3E%3C%2FP%3E%0A%3CHR%20%2F%3E%0A%3CH2%20id%3D%22toc-hId--405895113%22%20id%3D%22toc-hId--328287418%22%3EArchitecture%3C%2FH2%3E%0A%3CP%3EThe%20diagram%20below%20showcases%20a%20typical%20architecture%20pattern%20for%20hosting%20a%20web%20application%20(e.g.%20On-Premises%20or%20Cloud%20Platform)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F314887i4BA7E083E04F07BF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%3CFONT%20size%3D%222%22%20color%3D%22%23808080%22%3ETypical%20architecture%20for%20a%20web%20application%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20problem%20with%20this%20typical%20approach%20is%20that%20malicious%20actors%20could%20gain%20access%20to%2C%20as%20well%20as%20manipulate%2C%20sensitive%20data%20running%20on%20this%20architecture.%20For%20example%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ECurious%3C%2FSTRONG%3E%3CSTRONG%3E%20SQL%20DBA%3C%2FSTRONG%3E%26nbsp%3B-%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauthentication-access%2Fdatabase-level-roles%3Fview%3Dsql-server-ver15%23fixed-database-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edb_owner%3C%2FA%3E%26nbsp%3B%20access%20can%20access%20sensitive%20tables%2C%20as%20well%20as%20leverage%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fextended-events%2Fsql-server-extended-events-sessions%3Fview%3Dsql-server-ver15%23session-content-and-characteristics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESQL%20Server%20Extended%20Events%20Sessions%3C%2FA%3E%26nbsp%3Bto%20intercept%20query%20predicates.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ECurious%20VM%20admin%3C%2FSTRONG%3E%26nbsp%3B-%20with%20access%20to%20application%20logs%20can%20manipulate%20sensitive%20application%20logs%2C%20e.g.%20to%20erase%20a%20subset%20of%20the%20history.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ECurious%20host%2Fprovider%20admin%3C%2FSTRONG%3E%26nbsp%3B-%20with%20access%20to%20the%20underlying%20Hypervisor%20can%20access%20the%20Virtual%20Machines.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20confidential%20computing%20enhances%20the%20security%20posture%20of%20your%20applications%20by%20protecting%20data%20and%20code%20when%20in%20use%2C%20that%20is%20when%20running%20and%20being%20processed%20in%20memory.%20This%20additional%20level%20of%20protection%20elevates%20the%20existing%20security%20posture%20in%20Azure%20by%20running%20application%20in%20hardware-encrypted%20trusted%20execution%20environments.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20an%20overview%20of%20what%20Azure%20confidential%20computing%20offers%2C%20please%20refer%20to%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-confidential-computing%2Fnavigating-confidential-computing-across-azure%2Fba-p%2F2520752%22%20target%3D%22_blank%22%3ENavigating%20confidential%20computing%20across%20Azure.%3C%2FA%3E%3C%2FP%3E%0A%3CHR%20%2F%3E%0A%3CH2%20id%3D%22toc-hId-2081617720%22%20id%3D%22toc-hId--2135741881%22%3EGoing%20Confidential%3C%2FH2%3E%0A%3CP%3ENext%2C%20we'll%20show%20you%20how%20to%20enhance%20your%20web%20application%20privacy%20with%20Azure%20confidential%20computing.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F314889iCE7E30999395345E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%3CFONT%20size%3D%222%22%20color%3D%22%23808080%22%3EConfidential%20architecture%20leveraging%20Azure%20confidential%20computing%20services%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECore%20components%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Data%3C%2FSTRONG%3E%26nbsp%3B-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-sql%2Fdatabase%2Falways-encrypted-with-secure-enclaves-landing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAzure%20SQL%20DB%20-%20Always%20Encrypted%20with%20secure%20enclaves%3C%2FSTRONG%3E%3C%2FA%3E%3A%20For%20hosting%20a%20confidential%26nbsp%3Bdatabase%20-%20with%20sensitive%26nbsp%3Bcolumns%20that%20are%20encrypted%20via%26nbsp%3BCMK%26nbsp%3B(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Fstatements%2Fcreate-column-master-key-transact-sql%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EColumn%20Master%20Key%3C%2FA%3E).%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Data%20Encryption%20Keys%3C%2FSTRONG%3E%26nbsp%3B-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fmanaged-hsm%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAzure%20Key%20Vault%20-%20mHSM%3C%2FSTRONG%3E%3C%2FA%3E%3A%20A%20FIPS%20140-2%20Level%203%20validated%20HSM%20-%20used%20in%20this%20case%20for%20storing%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fencryption%2Fcreate-and-store-column-master-keys-always-encrypted%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAlways%20Encrypted%20Column%20Master%20Key%3C%2FA%3E%26nbsp%3B-%20or%26nbsp%3BCMK%26nbsp%3Bfor%20the%20sensitive%20database.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Application%20Logic%3C%2FSTRONG%3E%26nbsp%3B-%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fsolutions%2Fconfidential-compute%2F%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAzure%20Confidential%20VM%20-%20with%20AMD%20EPYC%203%20Sev-SNP%3C%2FSTRONG%3E%3C%2FA%3E%3A%20For%20hosting%20a%20Web%20app%20that%20queries%20the%20sensitive%20database%20within%20Azure%20SQL%20DB%2C%20and%26nbsp%3Bpersists%20sensitive%20logs%20generated%20on%20the%20Web%20app%20(e.g.%20query%20history).%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3E(Confidential%20VM%20AMD%20EPYC%203%20Sev-SNP%20is%20not%20yet%20generally%20available%20at%20time%20of%20writing%3B%20sign-up%20for%20preview%20%3CA%20href%3D%22https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR37R7JFLKbBAml_g6YTMEqtUOUlFNDhFMkFDS08wWjlPREIxMVk5T1BFUy4u%26amp%3BwdLOR%3DcC0EE192E-837D-4E54-8CB9-FCCD0C7B018D%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Application%20logs%3C%2FSTRONG%3E%26nbsp%3B-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fconfidential-ledger%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EAzure%20Confidential%20Ledger%3C%2FSTRONG%3E%3C%2FA%3E%3A%20As%20an%20append-only%2C%20immutable%20ledger%20for%20hosting%20sensitive%20logs.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAll%20components%20of%20this%20architecture%2C%20including%26nbsp%3B%3CSTRONG%3ESensitive%20Data%3C%2FSTRONG%3E%2C%26nbsp%3B%3CSTRONG%3ESensitive%20Data%20Encryption%20Keys%3C%2FSTRONG%3E%2C%26nbsp%3B%3CSTRONG%3ESensitive%20Application%20Logic%3C%2FSTRONG%3E%26nbsp%3Band%26nbsp%3B%3CSTRONG%3ESensitive%20Application%20logs%3C%2FSTRONG%3E%26nbsp%3B-%20are%20hosted%20at%20or%20above%20the%20blue%20dotted%20line%20highlighted%20below%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%225.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F314890i8EA8144A02695BA1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%225.png%22%20alt%3D%225.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%3CFONT%20size%3D%222%22%20color%3D%22%23808080%22%3ETrust%20boundary%20across%20Azure%20confidential%20computing%20services.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ETo%20transform%20an%20existing%20(or%20net-new)%20application%20to%20leverage%20confidentiality%20via%20ACC%20%E2%80%93%20the%20following%20activities%20can%20be%20easily%20accomplished%20for%20each%20of%20the%203%20tiers%20of%20the%20application%3A%20Data%2C%20Code%20and%20Logs%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Data%3A%3C%2FSTRONG%3E%20For%20an%20existing%20database%2C%20to%20migrate%20the%20data%20to%20%3CEM%3EAzure%20SQL%20DB%20%E2%80%93%20Always%20Encrypted%20with%20secure%20enclaves%3C%2FEM%3E%2C%20we%20can%20leverage%20any%20of%20the%20migration%20techniques%20available%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-sql%2Fmigration-guides%2Fdatabase%2Fsql-server-to-sql-database-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20SQL%20DB%3C%2FA%3E%20today.%20For%20a%20net%20new%20database%2C%20we%20can%20leverage%20several%20techniques%20to%20hydrate%20our%20database%20%E2%80%93%20as%20illustrated%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fsql-server-samples%2Ftree%2Fmaster%2Fsamples%2Ffeatures%2Fsecurity%2Falways-encrypted-with-secure-enclaves%2Fazure-sql-database%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ein%20this%20repository%20via%20T-SQL%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Application%20Code%3A%20%3C%2FSTRONG%3E%3CEM%3EAzure%20Confidential%20VM%20with%20AMD%20EPYC%203%20Sev-SNP%3C%2FEM%3E%20allows%20us%20to%20lift-and-shift%20existing%20application%20logic%20-%20meaning%20there%20are%20no%20code%20changes%20expected%20of%20our%20application%20to%20take%20advantage%20of%20the%20elevated%20confidentiality.%20Any%20web%20app%20framework%20(see%20demo%20below%20for%20a%20simple%20ASP.NET%20example)%20can%20continue%20to%20function%20as%20is.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESensitive%20Application%20Logs%3A%20%3C%2FSTRONG%3ETo%20programmatically%20send%20sensitive%20application%20logs%20to%20%3CEM%3EAzure%20Confidential%20Ledger%3C%2FEM%3E%2C%20we%20can%20use%20any%20of%20the%20SDKs%20available.%20In%20the%20demo%20below%2C%20we%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fpypi.org%2Fproject%2Fazure-confidentialledger%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EPython%20SDK%20from%20PyPi%3C%2FA%3E%20for%20demonstration%20%E2%80%93%20at%20the%20time%20of%20writing%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fjava%2Fapi%2Foverview%2Fazure%2Fdata-confidentialledger-readme%3Fview%3Dazure-java-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EJava%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Foverview%2Fazure%2Fstorage.confidentialledger-readme-pre%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E.NET%20SDK%3C%2FA%3E%20are%20available%20as%20well.%3CHR%20%2F%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-274163257%22%20id%3D%22toc-hId-351770952%22%3EDemonstration%3C%2FH2%3E%0A%3CP%3EA%20live%20demonstration%20of%20this%20architecture%20pattern%20is%20showcased%20in%20the%20short%20demo%20video%20below.%26nbsp%3BIn%20this%20demonstration%2C%20we%20leverage%20a%26nbsp%3B%3CSTRONG%3EConfidential%20VM%3C%2FSTRONG%3E%26nbsp%3Bto%20emphasize%20one%20core%20point%20-%20no%20code%20changes%20are%20required%20of%20an%20existing%20application%20(in%20our%20case%2C%20an%20ASP.NET%20Web%20App)%20to%20run%20on%20an%20AMD%20Sev-SNP%20enabled%20Virtual%20Machine%20on%20Azure%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2Fd2w0r-geduM%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%20allowfullscreen%3D%22allowfullscreen%22%20title%3D%22YouTube%20video%20player%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20clipboard-write%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CA%20href%3D%22https%3A%2F%2Fmybuild.microsoft.com%2Fsessions%2F0673aa81-6608-4bb3-b561-419431a4a506%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDemo%20Video%20from%20Build%20%E2%80%93%20starts%20at%2027%3A34%3C%2FA%3E%3C%2FP%3E%0A%3CHR%20%2F%3E%0A%3CH2%20id%3D%22toc-hId--1533291206%22%20id%3D%22toc-hId--1455683511%22%3EGet%20Started%3C%2FH2%3E%0A%3CP%3EInstructions%20on%20how%20to%20publish%20this%20app%20are%20described%20on%20the%20author's%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmdrakiburrahman%2Fhrapp-on-confidential-cloud%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%20repo%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2598108%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20end-to-end%20demonstration%20of%20a%20confidential%20Web%20App%20running%20on%20an%20AMD%20powered%20Confidential%20VM%20with%20Azure%20SQL%2C%20AKV%20mHSM%20and%20Azure%20Confidential%20Ledger.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Header.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299949i633BEB2FC81E4D87%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Header.png%22%20alt%3D%22Header.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2598108%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EACC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAKV%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQL%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E