Athumi: data attestation

Privacy and security by design are their highest priority, driven by data protection regulations such as the Flemish government's information classification framework (ICR), alongside broader ISO 27001 and NIS2 compliance frameworks. That's why Athumi uses Azure confidential computing to process data in hardware-based Trusted Execution Environments (TEEs).

But how can organizations like this verify that the TEEs are correctly configured and initialized before processing critical data? In these cases, simply trusting isn't enough: you need to know. We implemented a specialized attestation service that gives Athumi the verification they need and helps to separate their security duties.

Using Azure's confidential computing was a key part of Athumi's security, but they were looking for ways to protect their customers’ data even more. They wanted to be absolutely certain that every application handling sensitive data was launching in a genuinely secure and untampered environment. Not just once, but every single time. 

In concrete terms, Athumi needed a way to automatically and independently verify the integrity of each Trusted Execution Environment (TEE) as it spun up. This automated solution also needed to check if the environments met both Azure's default standards and their own security policies, which are based on the requirements of the Flemish government's ICR. 

To give Athumi the independent verification they needed, we implemented our specialized attestation service. This is a reliable, production-ready solution that we designed to integrate directly into Azure Kubernetes Service (AKS) deployment processes. 

Our attestation service works by running as an init container within Athumi's Kubernetes pods. This means our client completes its crucial checks before Athumi's main application container even starts. The process involves eight steps: 

1. Deploying the attestation client

We set up a new Kubernetes Deployment where our attestation client runs as an init container. Athumi's main application service is also defined here, but it will only start if our client successfully validates the environment first.

2. Validating the TPM hardware signature

Our attestation client starts by checking the signature from the node’s Trusted Platform Module (TPM), a hardware chip that confirms the system's state.

3. Fetching TPM logs

Next, our client requests and retrieves logs from the TPM. These logs contain cryptographic measurements of the platform’s state, like firmware and kernel configurations, proving the environment's integrity.

4. Sending data to the attestation provider

Using the collected TPM logs and hardware signature, our client generates a REST request and sends this data to Azure Attestation. This links the on-node hardware checks to the external verification service.

5. Validation by the attestation provider

The attestation provider receives the data and checks it against its attestation policy. This includes rules for things like specific firmware versions or certain security baselines. If the data meets these requirements, the provider considers the environment secure.

6. Response from the attestation provider

Once validation is complete, the provider returns a JSON Web Token (JWT) to our attestation client. This token serves as cryptographic proof that the environment meets the provider’s security standards.

7. Validating the attestation response

Our attestation client processes the JWT, checking its authenticity and making sure that it matches Athumi's specific, preconfigured validation rules.

8. Starting or blocking the service

If the JWT is valid and all checks confirm the workload is on confidential hardware according to both the provider and Athumi's policy, our client allows Athumi's main service to start. If any validation fails, the client stops the process, preventing the service from running in an untrusted environment. 

We can typically set up this service, not including the integration of custom policies, within a day. In Athumi's case, they asked us to add detailed audit logging as well, a feature that took us some extra time but really helped them out in the long run. 

So, what does Athumi get with our custom attestation solution? Put simply: certainty.  

Every time they deploy a sensitive application, they now have automated, cryptographic proof that its Trusted Execution Environment (TEE) is secure and untampered. This happens right before the application starts, every single time. 

This level of independent verification is key for Athumi. It directly helps them meet tough compliance rules for handling confidential and personal data, because they can now provide clear, auditable evidence.  

From an operational standpoint, the service fits straight into their Kubernetes workflows using the init container. It adds a vital security step without complicating their deployment process.  

The custom audit logging feature we built for them also means Athumi has a detailed record of all attestation events, giving them better control and insight. This all means they can use Azure confidential computing with much more confidence, backing up their commitment to data privacy and strengthening their role in the Flemish data economy. After all, as David Van den Brande likes to say, security is a never-ending story.