Mon Sep 23 17:41:22 UTC 2024: ## Confidential Computing Conquers Hacks: Microsoft’s Parma Secures Cloud Containers

**Cambridge, UK** – Microsoft Research has developed a groundbreaking system called Parma, which delivers confidential computing for containers on Azure. This innovation addresses the security vulnerabilities inherent in cloud computing, allowing users to run sensitive workloads with strong guarantees of confidentiality and integrity.

Parma tackles the threat posed by malicious actors who could compromise the host system, including the hypervisor and operating system, potentially accessing sensitive data within containers. It utilizes a trusted execution environment (TEE) based on AMD SEV-SNP processors, which offers hardware-level isolation for the virtual machine (VM) running the container group.

The core of Parma lies in its **attested execution policy**. This policy, defined by the tenant, specifies the exact actions the guest agent within the VM is permitted to take. This ensures that only authorized actions are executed, effectively preventing malicious code injection or manipulation.

Parma further enhances security by employing **integrity-protected read-only file systems** for container images and **encrypted and integrity-protected read/write file systems** for user data. This prevents tampering with both the container code and the sensitive information it processes.

The system also incorporates **remote attestation**, which allows external verifiers to establish trust in the integrity and security of the container group. This is achieved by cryptographically measuring the UVM and its components, including the execution policy, and generating an attestation report. This report serves as a digital fingerprint, verifying the authenticity and secure operation of the container group.

**Benchmarking results** demonstrate that Parma incurs minimal performance overhead, adding less than one percent additional cost compared to a standard TEE. This means that users can leverage confidential computing capabilities for sensitive workloads without sacrificing performance.

**The implications of Parma are significant:**

* **Companies can confidently run their most sensitive workflows in the cloud**, without compromising on security.
* **Tenants gain increased flexibility, efficiency, and reliability.**
* **Cloud Service Providers (CSPs) can attract more business.**
* **Users gain trust and confidence in the privacy and security of their data.**

Parma represents a significant advancement in confidential computing, providing a secure and efficient framework for running containers in the cloud. It opens up new possibilities for sensitive workloads in industries such as finance, healthcare, and government, where data protection is paramount.

Read More