Protecting Athumi’s Data with an Attestation Service
19.06Athumi plays a key role in the Flemish data economy, acting as a neutral partner to make more data more usable. Nearly all of their work involves sensitive information from both government and business-driven initiatives.
Privacy and security by design are their highest priority, driven by data protection regulations such as the Flemish government’s informatieclassificatieraamwerk (ICR), alongside broader ISO 27001 and NIS2 compliance frameworks. That’s why Athumi uses Azure confidential computing to process data in hardware-based Trusted Execution Environments (TEEs).
But how can organisations like this verify that the TEEs are correctly configured and initialised before processing critical data? In these cases, simply trusting isn’t enough: you need to know. We implemented a specialised attestation service that gives Athumi the verification they need and helps to separate their security duties.
The challenge
Using Azure’s confidential computing was a key part of Athumi’s security, but they were looking for ways to protect their customers’ data even more. They wanted to be absolutely certain that every application handling sensitive data was launching in a genuinely secure and untampered environment. Not just once, but every single time.
In concrete terms, Athumi needed a way to automatically and independently verify the integrity of each Trusted Execution Environment (TEE) as it spun up. This automated solution also needed to check if the environments met both Azure’s default standards and their own security policies, which are based on the requirements of the Flemish government’s ICR.
Our main objective was to ensure a crucial separation of duties. We needed a third party to independently attest that the setup has been correctly configured by our team and properly integrated with Azure.
– David Van den Brande, CTO @ Athumi
The solution
To give Athumi the independent verification they needed, we implemented our specialised attestation service. This is a reliable, production-ready solution that we designed to integrate directly into Azure Kubernetes Service (AKS) deployment processes.
Our attestation service works by running as an init container within Athumi’s Kubernetes pods. This means our client completes its crucial checks before Athumi’s main application container even starts. The process involves eight steps:
1. Deploying the attestation client
We set up a new Kubernetes Deployment where our attestation client runs as an init container. Athumi’s main application service is also defined here, but it will only start if our client successfully validates the environment first.
2. Validating the TPM hardware signature
Our attestation client starts by checking the signature from the node’s Trusted Platform Module (TPM), a hardware chip that confirms the system’s state.
3. Fetching TPM logs
Next, our client requests and retrieves logs from the TPM. These logs contain cryptographic measurements of the platform’s state, like firmware and kernel configurations, proving the environment’s integrity.
4. Sending data to the attestation provider
Using the collected TPM logs and hardware signature, our client generates a REST request and sends this data to Azure Attestation. This links the on-node hardware checks to the external verification service.
5. Validation by the attestation provider
The attestation provider receives the data and checks it against its attestation policy. This includes rules for things like specific firmware versions or certain security baselines. If the data meets these requirements, the provider considers the environment secure.
6. Response from the attestation provider
Once validation is complete, the provider returns a JSON Web Token (JWT) to our attestation client. This token serves as cryptographic proof that the environment meets the provider’s security standards.
7. Validating the attestation response
Our attestation client processes the JWT, checking its authenticity and making sure that it matches Athumi’s specific, preconfigured validation rules.
8. Starting or blocking the service
If the JWT is valid and all checks confirm the workload is on confidential hardware according to both the provider and Athumi’s policy, our client allows Athumi’s main service to start. If any validation fails, the client stops the process, preventing the service from running in an untrusted environment.
We can typically set up this service, not including the integration of custom policies, within a day. In Athumi’s case, they asked us to add detailed audit logging as well, a feature that took us some extra time but really helped them out in the long run.
The dedicated, single-point-of-contact support provided by CloudFuel greatly simplified the integration, resulting in an efficient and ‘first-time-right’ setup.
– David Van den Brande
The results
So, what does Athumi get with our Attestation Service? Put simply: certainty.
Every time they deploy a sensitive application, they now have automated, cryptographic proof that its Trusted Execution Environment (TEE) is secure and untampered. This happens right before the application starts, every single time.
This level of independent verification is key for Athumi. It directly helps them meet tough compliance rules for handling confidential and personal data, because they can now provide clear, auditable evidence.
From an operational standpoint, the service fits straight into their Kubernetes workflows using the init container. It adds a vital security step without complicating their deployment process.
The custom audit logging feature we built for them also means Athumi has a detailed record of all attestation events, giving them better control and insight. This all means they can use Azure confidential computing with much more confidence, backing up their commitment to data privacy and strengthening their role in the Flemish data economy. After all, as David Van den Brande likes to say, security is a never-ending story.
Need to prove the integrity of your confidential computing environments? Our attestation service gives you the cryptographic proof of security you need.
