In a bid to enhance cloud security, Microsoft has been diligently working on fortifying its protection measures over the years. After facing a series of notable security lapses, the company has prioritized shoring up its defenses. This strategic focus was highlighted at the Hot Chips conference by Microsoft Security Partner Brian Kelly, who detailed the multi-tiered security architecture within Azure, ranging from secure processors to proprietary key storage crystals and an open trusted execution environment.
The security strategy revolves around isolation, where cryptographic keys have been shifted from external servers to integrated hardware security modules. Additionally, virtual machines are segregated at the hardware level within modern CPUs and GPUs. Various facets such as control planes, data, networks, and storage have been consolidated into smart NICs to reduce potential vulnerabilities. Furthermore, the foundational trust is established through the open Caliptra module, ensuring the authenticity of each component within the stack.
A key focus in the security report is on the latest hardware innovations for 2025, namely the integrated Hardware Security Module (HSM) and Caliptra 2.0, which have now become standard in all new Azure deployments. The core concept is to provide each server with its individual key storage, moving away from the previous network-dependent HSM iterations. This transition minimizes scalability issues and operational delays, as all key operations are now integrated within the server, eliminating the need for external connections.
Microsoft has introduced the Azure Integrated HSM chip to facilitate this shift towards enhanced security. This chip strengthens AES encryption and key operations, employs secure interfaces like TEE DEVICE Interface Security Protocol (TDISP) for communication with other services, and offers robust protection against physical and side-channel attacks. The tamper-proof module ensures no unauthorized access attempts, even in hypothetical scenarios where the device is removed from the data center. This component forms a crucial part of Azure’s confidential computing stack, ensuring end-to-end encryption of data at rest, in transit, and in memory, along with execution of code in secure, isolated environments.