Google Cloud Brings Confidential VMs for Data Encryption
Like every year, Google’s annual conference, “Cloud Next,” is taking place again this year. However, it is taking place virtually over nine weeks—Next ’20: OnAir virtual conference. The first week is on “Industry Insights,” and on July 14, 2020, Google Cloud announced Confidential Computing.
The newly added feature, “Confidential Computing,” is a breakthrough technology and a way to ease fears about sensitive data while keeping it private. The feature came to the forefront after observing the privacy concerns of healthcare providers, financial services, and government organizations, which while moving to the cloud will not have the same level of control as maintaining their own data centers.
“We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure,” the company notes in its announcement. “Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”
“This technology will transform the way organizations process data in the cloud, maintain control over their data, and preserve confidentiality,” said a statement by Google.
Presently, Google encrypts data at-rest and in-transit, however, customer data needs to be decrypted for processing. With confidential computing, one can keep data in an encrypted form as it is being “used, indexed, queried, or trained on” in memory or outside the CPU. The encryption keys are generated in hardware for each virtual machine and are not exportable.
Add to it, the cloud division will bring a number of confidential computing products.
“Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC™ processors. Using the AMD SEV feature, Confidential VMs offer high performance for the most demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor. These keys are generated by the AMD Secure Processor during VM creation and reside solely within it, making them unavailable to Google or any VMs running on the host.”
Google mentions that all current GCP workloads running in VMs today can be moved to confidential VM with just “one checkbox.” The feature of VM encryption does not interfere with workload performance.
“Google-offered images include Ubuntu v18.04, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2. We’re working with CentOS, Debian, and other distributors to offer additional confidential OS images.”
For the purpose of texting and modification, Google Cloud’s Confidential VMs are available in beta.