Microsoft Codename "Trust Services" Lab

  • Article

I did not post for a long time, was mostly working on internal and not-yet-released projects.

But today the project I've been working recently has shipped our first Lab:

Microsoft Codename "Trust Services"

Trust and Security have been hot topics for the public cloud since its inception.  Corporate IT departments and CIOs have repeatedly expressed concerns over the loss of control associated with moving various levels of sensitive data to a public cloud.  At the same time, the overall benefits of a public cloud are tremendous and continue to gain momentum.  This means that many organizations have a pressing need to migrate to public cloud infrastructure in spite of ongoing concerns about security.

Encryption is one of the fundamental required tools for protecting data in the cloud. However, when you start encrypting data, you are facing with question how do you manage encryption keys and encryption policies? There are several options (you will probably recognize the products using them):

  • Have keys owned by the cloud as well, but stored separately from data (Server Side Encryption) - this provides a bit of improvement, but not much of a real security
  • Use a single key that unlocks the data (Simple Encrypting Client) - secure, but not manageable, you have to give the same key to all the parties, have no way to revoke keys when one of the parties leaves, etc
  • Have an on-premise security middleware - secure, but not very useful, since now all the users (even mobile users) have to go through this middleware - you lose most of the benefits of the cloud, plus have to purchase and maintain on-premises hardware and software
  • Store keys, authorizations and encryption policies in the cloud, but signed and encrypted with individual keys given to each party - so that each party can locally verify authenticity of the policies and only authorized parties have access to and are able to decrypt the sensitive data

You can guess the Trust Services follows the latest approach, and provides a unique combination of end-to-end application level encryption and power of the cloud to roam encryption keys, while leaving the owner in full control of his data. It enables data driven applications to work with sensitive data, securely stored in different cloud-based storages while continuing to maintain control over access to this data.

Today we shipped the service (sign up link), the client SDK and four samples of client applications utilizing the service+SDK.

Check out the video at the Trust Services Lab Link, then read more at the Trust Services TechNet article.