Apr 08 2022

What Is Azure Attestation, and How Can It Improve Government Security?

Microsoft’s Windows 11 enhancements can improve endpoint security.

It has been more than two years since Microsoft ended support for Windows 7, and most state and local government agencies have transitioned to Windows 10.

While Windows 10 offered agencies several cybersecurity enhancements over Windows 7, Microsoft has now released Windows 11, which offers even more robust security features.

In addition to a chip-to-cloud security philosophy, Windows 11 uses a Trusted Platform Module (TPM) chip designed to protect encryption keys. Another important element of Windows 11’s security is Microsoft Azure Attestation, which is a free service that enables the remote verification of the integrity of a system’s hardware and software. It also brings “hardware-based zero trust to the forefront of security, allowing customers to enforce zero trust policies when accessing sensitive resources in the cloud with supported mobile device managements (MDMs) like Intune or on-premises,” according to a blog post written by David Weston, Microsoft’s vice president of enterprise and OS security.

As state and local agencies continue to push adoption of zero-trust architecture for cybersecurity, Microsoft Azure Attestation may prove to be a valuable tool, especially as governments refresh their hardware portfolios.

Click the banner below to get access to a customized cybersecurity content experience.

What Is Microsoft Azure Attestation?

According to Microsoft, Azure Attestation allows organizations to “verify the identity and security posture of a platform before” it accesses cloud resources.  

“Azure Attestation receives evidence from the platform, validates it with security standards, evaluates it against configurable policies and produces an attestation token for claims-based applications,” the company says.

The service supports attestation of TPMs and trusted execution environments, such as Intel Software Guard Extensions and virtualization-based security enclaves.

“MAA is used to evaluate a hardware platform against agency policies to ensure that the binaries running there haven’t been tampered with or changed by malware or malicious users,” Nextgov reports. “Devices also have to prove that they have all the appropriate security protocols and requirements enabled.”

Further, Acronis adds in a blog post, “Attestation establishes trust by validating the identity and integrity of essential hardware and software components. The remote attestation method provides relying parties with a verifiable, unbiased and tamper-resilient device report about a remote peer.”

RELATED: Why is zero trust important for state and local agencies?

What Are the Benefits of Azure Attestation for Agencies?

There are three core benefits of Microsoft Azure Attestation for government agencies.

The first is a unified platform that can verify the trustworthiness of multiple environments and ensure that agencies can securely trust and use cloud computing tools like Azure. “Azure Attestation provides comprehensive attestation services for multiple environments and distinctive use cases such as enclave validation, secure key sharing and confidential multiparty computation,” the company says.

Another is that organizations can easily access a default provider in their Azure region for attestation services without having to go through a configuration process. Microsoft says default providers are available for all Azure Active Directory users.

Finally, Azure Attestation enables agencies to enforce customized attestation policies. “Azure Attestation evaluates the platform evidence against your policies to ensure that the binaries running inside the platform haven’t been tampered with by external entities,” Microsoft says. “If your attestation provider allows signed policies, Azure Attestation will use your signer certificates to validate the signed policies and authenticate the users.”

EXPLORE: Dive deeper into incident response tools for state and local agencies.

How Does Azure Attestation Help with Cybersecurity?

In addition to the direct benefits related to the implementation of MAA, the main cybersecurity advantage of Azure Attestation is that it sets the table for the adoption of zero trust.

Zero trust can involve using strict access controls, multiple authentication checkpoints and increased monitoring resources to repeatedly verify users and devices before allowing them to access a network or asset.

“MAA validates both the identity and the platform, providing for condition-based access with a zero-trust environment to protect organizational resources,” Forbes reports.

Indeed, Nextgov reports that Microsoft Azure Attestation “should allow Windows 11 devices to easily integrate into zero-trust networking environments as agencies bring them online. Windows 11 won’t enable zero trust by itself but can act as a critical component of any highly secure network.”

alvarez/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT