Google introduces Cloud Confidential Computing with VMs to encrypt data in-use
Google announced on Tuesday that it is launching two new security offerings; Confidential Computing with Confidential VMs, designed for customers with highly-regulated or sensitive data that require extra protection in the cloud. These two cloud security developments, according to Google will give customers confidence that they are always in control over the confidentiality of their data.
While Google Cloud encrypts data-at-rest and in-transit, the data that’s being processed must be decrypted. The new Confidential Computing is a breakthrough technology that encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). Google says it is a simple, easy-to-use deployment that doesn’t compromise on performance and collaborates with anyone, all while preserving the confidentiality of their data. Google Cloud’s approach allows customers to encrypt data in use without making any code changes to their applications
Confidential VMs, which is now available in beta, is the first product in Google Cloud’s Confidential Computing portfolio. It will be particularly useful for entities that run their own data centers. Organizations that entrust their data to rented infrastructure from cloud providers like Google also want their data to be protected from these firms. Confidential computing mechanisms help to process data privately hence do not give attackers a gap to access the information.
“We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure. Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries,” said Google in a blog post.
Google now prides itself as the first major cloud provider to offer this level of security and isolation while giving customers a simple, easy-to-use option for newly built as well as “lift and shift” applications. Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC™ processors. Using the AMD SEV feature, Confidential VMs offer high performance for the most demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor. This keeps the data encrypted and encryption keys are automatically generated in hardware and can’t be exported thus making it harder for VMs running on the host or even Google itself to access.
“With built-in secure encrypted virtualization, 2nd Gen AMD EPYC™ processors provide an innovative hardware-based security feature that helps secure data in a virtualized environment,” said Raghu Nambiar, Corporate Vice President, Data Center Ecosystem, AMD.
“For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to help customers both secure their data and achieve the performance of their workloads. We’re thrilled to see the Confidential VMs demonstrate similar levels of high performance, for various workloads, as the standard N2D VMs,” he added.
Google and AMD aren’t the only tech giants working on confidential computing. A consortium whose members include ARM, Intel, Microsoft, Facebook, and Huawei was launched last year to define and accelerate the adoption of confidential computing.