Google Cloud Confidential VMs
Google Cloud last month unwrapped new Confidential VMs -- the first product of its confidential computing portfolio. Confidential VMs allow users to run workloads in Google Cloud while ensuring their data is encrypted while it’s in use and being processed, not just at rest and in transit.
Available in beta for Google Compute Engine, the solution helps remove cloud adoption barriers for customers in highly regulated industries, according to Google Cloud CEO Thomas Kurian.
Vint Cerf, Google’s chief internet “evangelist,” called confidential computing a “game-changer” that has the potential to transform the way organizations process data in the cloud, while significantly improving confidentiality and privacy.
Google Cloud already employed a variety of isolation and sandboxing techniques as part of its cloud infrastructure to help make its multi-tenant architecture secure, but “confidential VMs take this to the next level by offering memory encryption, so that you can further isolate your workloads in the cloud,” according to a blog post by Google Cloud senior product manager Nelly Porter, confidential computing engineering director Gilad Golan and Sam Lugani, lead security product marketing manager for G Suite and the Google Cloud Platform (GCP).
Confidential computing can unlock computing scenarios that have previously not been possible, according to the trio, and organizations now can share confidential data sets and collaborate on research in the cloud while preserving confidentiality.
The Confidential VMs are based on Google Cloud‘s N2D series instances and leverage AMD’s Secure Encrypted Virtualization feature supported by its 2nd Gen AMD EPYC CPUs. Dedicated per-VM encryption keys are generated in hardware and are not exportable.
“We worked closely with the AMD Cloud Solution engineering team to help ensure that the VMs’ memory encryption doesn’t interfere with workload performance,” the blog post stated. “We added support for new OSS (open-source software) drivers -- NVMe and gVNIC -- to handle storage traffic and network traffic with higher throughput than older protocols. This helps ensure that the performance metrics of Confidential VMs are close to those of non-confidential VMs.”