Merge pull request #298989 from paulth1/confidential-computing-articles

[AQ] edit pass: Confidential computing articles

Author: ShawnJackson

articles/confidential-computing/attestation-solutions.md

@@ -1,6 +1,6 @@
 ---
-title: Azure confidential computing Overview
-description: Overview of Azure Confidential (ACC) Computing
+title: Azure Confidential Computing Overview
+description: This article presents an overview of Azure confidential computing.
 services: virtual-machines
 author: ju-shim
 ms.service: azure-virtual-machines
@@ -13,29 +13,30 @@ ms.custom: inspire-july-2022
 
 # What is confidential computing?
 
-Confidential computing is an industry term established by the [Confidential Computing Consortium (CCC)](https://confidentialcomputing.io/wp-content/uploads/sites/10/2023/03/CCC_outreach_whitepaper_updated_November_2022.pdf), part of the Linux Foundation. It defines it as:
+Confidential computing is an industry term established by the [Confidential Computing Consortium (CCC)](https://confidentialcomputing.io/wp-content/uploads/sites/10/2023/03/CCC_outreach_whitepaper_updated_November_2022.pdf), which is part of the Linux Foundation. The CCC defines confidential computing in this way:
 
-> Confidential Computing protects data in use by performing computation in a hardware-based, attested Trusted Execution Environment.
->
-> These secure and isolated environments prevent unauthorized access or modification of applications and data while they are in use, thereby increasing the security level of organizations that manage sensitive and regulated data.
+"Confidential Computing protects data in use by performing computation in a hardware-based, attested Trusted Execution Environment.
+
+"These secure and isolated environments prevent unauthorized access or modification of applications and data while they are in use, thereby increasing the security level of organizations that manage sensitive and regulated data."
 
 Microsoft is one of the founding members of the CCC and provides Trusted Execution Environments (TEEs) in Azure based on this CCC definition.
 
 ## Reducing the attack surface
 
-:::image type="content" source="media/overview/three-states-and-confidential-computing-consortium-definition.png" alt-text="Diagram of three states of data protection, with confidential computing's data in use highlighted.":::
+:::image type="content" source="media/overview/three-states-and-confidential-computing-consortium-definition.png" alt-text="Diagram that shows three states of data protection, with confidential computing's data in use highlighted.":::
 
-Azure already encrypts data at rest and in transit. Confidential computing helps protect data in use, including cryptographic keys. Azure confidential computing helps customers prevent unauthorized access to data in use, including from the cloud operator, by processing data in a hardware-based and attested Trusted Execution Environment (TEE).  When Azure confidential computing is enabled and properly configured, Microsoft isn't able to access unencrypted customer data.
+Azure already encrypts data at rest and in transit. Confidential computing helps to protect data in use, including protection for cryptographic keys. Azure confidential computing helps customers prevent unauthorized access to data in use, including from the cloud operator, by processing data in a hardware-based and attested TEE. When Azure confidential computing is enabled and properly configured, Microsoft can't access unencrypted customer data.
 
-The threat model aims to reduce trust or remove the ability for a cloud provider operator or other actors in the tenant's domain accessing code and data while it's being executed. This is achieved in Azure using a hardware root of trust not controlled by the cloud provider, which is designed to ensure unauthorized access or modification of the environment.
+The threat model aims to reduce trust or remove the ability for a cloud provider operator or other actors in the tenant's domain from accessing code and data while it's being executed. Azure uses a hardware root of trust that isn't controlled by the cloud provider, which is designed to prevent unauthorized access or modification of the environment.
 
-When used with data encryption at rest and in transit, confidential computing extends data protections further to protect data whilst it's in use. This is beneficial for organizations seeking further protections for sensitive data and applications hosted in cloud environments. 
+When confidential computing is used with data encryption at rest and in transit, it extends data protections further to protect data while confidential computing is in use. This capability is beneficial for organizations that seek further protection for sensitive data and applications hosted in cloud environments.
 
 ## Industry partnership
-The [Confidential Computing Consortium (CCC)](https://confidentialcomputing.io/) brings together hardware vendors, cloud providers, and software developers to accelerate the adoption of Trusted Execution Environment (TEE) technologies and standards. Microsoft helped to co-found it in 2019, and has chaired both the governing body and the Technical Advisory Council. 
 
-### Next steps
-Explore [offerings](https://aka.ms/azurecc) spanning Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and developer tools to support your journey to confidentiality. 
+The [CCC](https://confidentialcomputing.io/) brings together hardware vendors, cloud providers, and software developers to accelerate the adoption of TEE technologies and standards. Microsoft helped to cofound the CCC in 2019 and has chaired both the governing body and the Technical Advisory Council.
+
+## Related content
+
+- To support your journey to confidentiality, explore [offerings](https://aka.ms/azurecc) that span infrastructure as a service (IaaS), platform as a service (PaaS), and developer tools.
 
-> [!div class="nextstepaction"]
-> [Overview of Azure Confidential Computing](overview-azure-products.md)
+- To learn more about confidential computing, see [Overview of Azure confidential computing](overview-azure-products.md).

articles/confidential-computing/overview-azure-products.md

@@ -1,6 +1,6 @@
 ---
-title: Secret and key management in Azure confidential computing
-description: Understanding how confidential computing handles secrets and keys
+title: Secret and Key Management in Azure Confidential Computing
+description: This article helps you to understand how confidential computing handles secrets and keys.
 author: vinfnet
 ms.author: sgallagher
 ms.service: azure
@@ -9,16 +9,16 @@ ms.date: 06/09/2023
 ms.custom: template-concept
 ms.subservice: confidential-computing
 ---
-# Secrets and Key Management
+# Secrets and key management
 
-Confidential computing provides advanced capabilities for protecting secrets and keys whilst they are in-use to enhance the security posture of an application.
+Confidential computing provides advanced capabilities for protecting secrets and keys while they're in use to enhance the security posture of an application.
 
-Confidential computing enabled services use keys managed by the [hardware root of trust](trusted-compute-base.md#hardware-root-of-trust) to inform [Attestation](attestation.md) services and encrypt and decrypt data inside the Trusted Execution Environment ([TEE](trusted-execution-environment.md)).
+Confidential computing-enabled services use keys managed by the [hardware root of trust](trusted-compute-base.md#hardware-root-of-trust) to inform [attestation](attestation.md) services and encrypt and decrypt data inside the Trusted Execution Environment ([TEE](trusted-execution-environment.md)).
 
-This is a key part of protection for Confidential virtual machines (CVM) and many other services built upon CVMs like [confidential node pools on AKS](confidential-node-pool-aks.md) or data services that support confidential SKUs like Azure Data Explorer.
+Keys are an important part of protection for confidential virtual machines (CVMs) and many other services built on CVMs like [confidential node pools on Azure Kubernetes Service](confidential-node-pool-aks.md) or data services that support confidential products like Azure Data Explorer.
 
-For example, systems can be configured so that keys are only released once code has proven (via Attestation) that it is executing inside a TEE - this is known as [Secure Key Release (SKR)](concept-skr-attestation.md) - this powerful feature is useful for applications that need to read encrypted data from Azure blob storage into a TEE where it can be securely decrypted and processed in the clear.
+For example, you can configure systems so that keys are released only after the code proves (via attestation) that it's executing inside a TEE. This behavior is known as [secure key release](concept-skr-attestation.md). This powerful feature is useful for applications that need to read encrypted data from Azure Blob Storage into a TEE where it can be securely decrypted and processed in the clear.
 
-CVMs rely on virtual Trusted Platform Modules (vTPM) you can read more about this in [Virtual TPMs in Azure](virtual-tpms-in-azure-confidential-vm.md)
+CVMs rely on virtual Trusted Platform Modules (vTPMs). You can read more about this technology in [Virtual TPMs in Azure](virtual-tpms-in-azure-confidential-vm.md).
 
-The [Azure Managed HSM](/azure/key-vault/managed-hsm/overview) offering is [built on Confidential Computing technologies](/azure/key-vault/managed-hsm/managed-hsm-technical-details) and can be used to enhance access control of secrets & keys for an application.
+The [Azure Key Vault Managed HSM](/azure/key-vault/managed-hsm/overview) offering is [built on confidential computing technologies](/azure/key-vault/managed-hsm/managed-hsm-technical-details). You can use it to enhance access control of the secrets and keys for an application.

articles/confidential-computing/overview.md

@@ -1,6 +1,6 @@
 ---
-title: Trusted compute base (TCB) in Azure confidential computing
-description: Understanding what the TCB is and what it includes
+title: Trusted Computing Base (TCB) in Azure Confidential Computing
+description: This article helps you to understand what the TCB is and what it includes.
 author: vinfnet
 ms.author: sgallagher
 ms.service: azure
@@ -9,39 +9,34 @@ ms.date: 06/09/2023
 ms.custom: template-concept
 ms.subservice: confidential-computing
 ---
-# Trusted Compute Base
+# Trusted computing base
 
-The Trusted Computing Base (TCB) refers to all of a system's hardware, firmware, and software components that provide a secure environment. The components inside the TCB are considered "critical." If one component inside the TCB is compromised, the entire system's security may be jeopardized. A lower TCB means higher security. There's less risk of exposure to various vulnerabilities, malware, attacks, and malicious people.
+*Trusted computing base* (TCB) refers to all of a system's hardware, firmware, and software components that provide a secure environment. The components inside the TCB are considered critical. If one component inside the TCB is compromised, the entire system's security might be jeopardized. A lower TCB means higher security. There's less risk of exposure to various vulnerabilities, malware, attacks, and malicious people.
 
+The following diagram shows what's inside and outside the TCB. The workload and data that the customer operator manages is inside the TCB. The elements managed by the cloud provider (Azure) are outside the TCB.
 
-The following diagram shows what is "in" and what is "outside' of the trusted compute base. The workload and data that the customer operator manages is inside the TCB, and the elements managed by the cloud provider (Microsoft Azure) are outside. 
+:::image type="content" source="./media/trusted-compute-base/azure-confidential-computing-zero-trust-architecture.jpg" alt-text="Diagram that shows the trusted computing base concept.":::
 
+## Hardware root of trust
 
-:::image type="content" source="./media/trusted-compute-base/azure-confidential-computing-zero-trust-architecture.jpg" alt-text="Diagram showing the Trusted Compute Base (TCB) concept.":::
+The root of trust is the hardware that's trusted to attest (validate) that the customer workload is using confidential computing. Hardware vendors generate and validate the cryptographic proofs.
 
+## Confidential computing workload
 
-## Hardware Root of Trust
+The customer workload, encapsulated inside a Trusted Execution Environment (TEE), includes the parts of the solution that are fully under control and trusted by the customer. The confidential computing workload is opaque to everything outside the TCB by using encryption.
 
-The root of trust is the hardware that is trusted to attest (validate) that the customer workload is using confidential computing through the generation and validation of cryptographic proofs provided by hardware vendors.
+## Host OS, hypervisor, BIOS, and device drivers
 
-## Confidential Computing Workload (TCB)
+These elements have no visibility of the workload inside the TCB because it's encrypted. The host OS, BIOS, hypervisor, and device drivers are under the control of the cloud provider and inaccessible by the customer. Conversely, they can see the customer workload only in encrypted form.
 
-The customer workload, encapsulated inside a Trusted Execution Environment (TEE) includes the parts of the solution that are fully under control and trusted by the customer. The confidential computing workload is opaque to everything outside of the TCB using encryption.
+## Mapping TCB to different TEEs
 
-## Host OS, Hypervisor, BIOS, Device drivers
+Depending on the confidential computing technology in use, the TCB can vary to meet different customer demands for confidentiality and ease of adoption.
 
-These elements have no visibility of the workload inside the TCB because it encrypted. Host OS, BIOS etc. are under the control of the cloud provider and inaccessible by the customer and conversely they can only see the customer workload in encrypted form.
+Confidential virtual machines (CVMs) that use the AMD SEV-SNP (and, in future, Intel Trust Domain Extensions) technologies can run an entire VM inside the TEE to support rehosting scenarios of existing workloads. In this case, the guest OS is also inside the TCB.
 
-## Mapping TCB to different Trusted Execution Environments (TEE)
-
-Depending on the Confidential Computing technology in-use, the TCB can vary to cater to different customer demands for confidentiality and ease of adoption.
-
-Confidential Virtual Machines (CVM) using the AMD SEV-SNP (and, in future Intel TDX) technologies can run an entire virtual machine inside the TEE to support lift & shift scenarios of existing workloads, in this case, the guest OS is also inside the TCB.
-
-Container compute offerings are built upon Confidential Virtual Machines and offer a variety of TCB scenarios from whole AKS nodes to individual containers when using Azure Container Instances (ACI).
-
-Intel SGX can offer the most granular TCB definition down to individual code functions but requires applications to be developed using specific SDKs to use confidential capabilities. 
-
-:::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Diagram showing the Trusted Compute Base (TCB) concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments":::
+Container compute offerings are built on CVMs. They offer various TCB scenarios from whole Azure Kubernetes Service nodes to individual containers when Azure Container Instances is used.
 
+Intel Software Guard Extensions (SGX) can offer the most granular TCB definition down to individual code functions, but it requires applications to be developed by using specific SDKs to use confidential capabilities.
 
+:::image type="content" source="./media/trusted-compute-base/app-enclave-vs-virtual-machine.jpg " alt-text="Diagram that shows the TCB concept mapped to Intel SGX and AMD SEV-SNP Trusted Execution Environments.":::