Azure Confidential Computing protects data in use—the critical third stage of the data lifecycle—by encrypting it within a secure enclave in the CPU. This Trusted Execution Environment (TEE) isolates sensitive workloads, such as those processing Protected Health Information (PHI), from the host operating system, hypervisor, and even Microsoft administrators, ensuring data is never exposed in clear text during processing.
Glossary
Azure Confidential Computing

What is Azure Confidential Computing?
Azure Confidential Computing is a set of hardware and software capabilities that protect data in use by performing computation within a hardware-based Trusted Execution Environment (TEE).
The integrity of the TEE is verified through a process called attestation, which cryptographically proves the enclave is running the correct, unmodified code on genuine hardware. This architecture enables healthcare organizations to run HIPAA-regulated AI models on shared cloud infrastructure while maintaining a strict Zero Trust Architecture posture, satisfying both security and compliance mandates.
Key Features of Azure Confidential Computing
Azure Confidential Computing protects healthcare data during active processing through hardware-based Trusted Execution Environments, ensuring that even the cloud operator cannot access sensitive workloads.
Trusted Execution Environment (TEE)
A hardware-enforced enclave within the CPU that isolates data and code during processing. Unlike encryption at rest or in transit, a TEE protects data in use by creating a secure boundary that even the hypervisor, host OS, and cloud administrators cannot breach.
- Intel SGX: Creates isolated memory regions called enclaves with hardware-level encryption
- AMD SEV-SNP: Encrypts entire virtual machine memory with secure nested paging
- Attestation: Cryptographic proof that the TEE is genuine and running untampered code
Application Enclave Attestation
A cryptographic verification process that proves to a remote relying party that a specific workload is running inside a genuine TEE on trusted hardware. This is critical for healthcare where a data provider must verify the environment before releasing PHI.
- Microsoft Azure Attestation: A unified service for verifying TEE evidence remotely
- Evidence payload: Includes measurements of firmware, OS, and application code
- Attestation token: A signed JSON Web Token asserting the enclave's identity and integrity
Confidential Virtual Machines
Full AMD SEV-SNP encrypted VMs that protect entire Linux or Windows workloads without requiring application code changes. The entire OS and application memory space is encrypted, providing a lift-and-shift path for legacy healthcare applications.
- Full OS encryption: Protects entire VM memory from hypervisor access
- No code refactoring: Existing clinical applications run unmodified
- Disk encryption integration: Works alongside Azure Disk Encryption for defense-in-depth
Confidential Containers on AKS
Extends TEE protection to Kubernetes pod-level isolation using Kata Confidential Containers. Each pod runs inside its own hardware-encrypted VM boundary, enabling microservice architectures for clinical NLP pipelines with strong tenant isolation.
- Pod-level isolation: Each container group gets a dedicated encrypted VM
- Kata Containers: Open-source runtime that wraps pods in lightweight VMs
- Zero-trust pod communication: Combines with mTLS for end-to-end encrypted service mesh
Confidential GPU Inference
Extends TEE protection to NVIDIA H100 GPUs for AI model inference on sensitive clinical data. The GPU memory is encrypted and isolated, allowing large language models to process PHI without exposing the raw data to the infrastructure layer.
- NVIDIA Confidential Computing: Hardware-rooted GPU attestation and memory encryption
- Protected model weights: Prevents extraction of proprietary fine-tuned clinical models
- Secure multi-party inference: Multiple organizations can contribute encrypted data to a shared model
Confidential Ledger for Audit Trails
A tamper-proof, append-only ledger built on the Confidential Consortium Framework. Every access to PHI is cryptographically recorded in an immutable log that can be verified by auditors without trusting the cloud operator.
- Cryptographic receipts: Each transaction produces a verifiable proof of inclusion
- Decentralized governance: Multiple parties can jointly manage the ledger without a central authority
- HIPAA audit compliance: Provides irrefutable evidence of data access patterns for breach investigations
Frequently Asked Questions
Clear, technically precise answers to the most common questions about protecting sensitive healthcare data in use with Azure Confidential Computing.
Azure Confidential Computing is a set of hardware and software capabilities that protect data in use by performing computation within a hardware-based, attested Trusted Execution Environment (TEE). Unlike standard encryption that protects data at rest and in transit, confidential computing creates a secure enclave within the CPU itself. This enclave isolates a portion of the processor and memory, preventing even the hypervisor, host operating system, or cloud administrators from accessing the code and data inside. The mechanism relies on hardware root of trust, where the CPU firmware measures and attests to the exact state of the enclave before releasing secrets. For healthcare workloads processing Protected Health Information (PHI), this means a model can perform inference on sensitive clinical data without the raw data ever being visible to the underlying cloud infrastructure, satisfying the strictest data privacy and compliance requirements.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core architectural components and security primitives that constitute the Azure Confidential Computing stack for protecting sensitive healthcare data in use.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us