Persistent threats like bootkits and rootkits are sophisticated malware types that run with the same kernel-mode privileges as the operating system they infect. Using those privileges, they can hide themselves from diagnostic tools and antimalware, making them extremely difficult to detect and almost impossible to remove. That foothold is typically leveraged by malware to bypass local logins, record passwords and keystrokes, exfiltrate private files, and steal security keys and credentials.

Today, I’m announcing that Azure customers can prevent bootkit and rootkit infections by enabling Azure Trusted Launch for their virtual machines. Trusted Launch allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module (vTPM) to measure and attest to whether the boot was compromised. The vTPM measurements give administrators visibility into the integrity of the entire boot process, and vTPM release policies ensure that keys, certificates, and secrets aren’t accessible to compromised virtual machines.

Azure Trusted Launch configuration screenshot

Azure Security Center serves as a single pane of glass for integrity alerts, recommendations, and remediations generated by Trusted Launch. These new features are easily enabled: Trusted Launch is switched on with a simple change in deployment code or a checkbox within the Azure portal for all virtual machines.

 

Mediterranean Shipping Company (MSC), one of the largest shipping companies in the world, is in the process of moving its global compute infrastructure to Azure.

“As part of migrating to Azure, we need security and compliance across all layers of the stack, especially at the bootloader and OS kernel level. Azure Trusted Launch provides us just that and makes our administrator’s lives easy.”—Aaron Shvarts, CISO, MSC Technology (NA).

SharePoint Online is a collaborative platform that integrates with Microsoft Office and allows an enterprise to store, retrieve, search, archive, track, manage, and report on digitized documents.

“Every element of SharePoint Online needs to meet strict requirements for security and compliance. Azure Trusted Launch allows us to migrate to Virtual Machine Scale Sets while ensuring the integrity of our boot sequence and OS kernel. This partnership with the Azure Security team helps us further our mission of being the safest cloud for the world’s most valuable data,” — Matt Swann, Chief Security Architect for SharePoint Online.

Trusted Launch is in preview within selected Azure regions with no additional cost, and it supports the most commonly used operating systems images, with more coming soon.

To learn more and get started with Trusted Launch, visit the documentation page.