Today, at Google’s virtual Cloud Next ’20 event, Cloud has announced Confidential VMs. This is a new type of virtual machine which ensures that the data isn’t just encrypted at rest but also while it is in memory by making use of the company’s work around confidential computing.
In today’s announcement, the company notes “We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure.” They added “Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”
In the backend, Confidential VMs will use AMD’s Secure Encrypted Virtualization feature to make sure that the data will stay encrypted even when it is used. The encryption keys which will be used will be generated automatically in hardware, making it hard to export. Even Google will not have access to the keys. Moreover, developers looking to shift their existing VMs to a Confidential VM will be able to do so with just a few clicks.
Raghu Nambiar, corporate vice president of Data Center Ecosystem, said “With built-in secure encrypted virtualization, 2nd Gen AMD EPYC processors provide an innovative hardware-based security feature that helps secure data in a virtualized environment.” Also, “For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to help customers both secure their data and achieve the performance of their workloads.”
The last part is important as it gives the extra encryption and decryption steps a minor performance penalty. According to Google, it worked with AMD to develop open-source drivers which will ensure that the performance metrics of Confidential VMs are close to that of non-confidential VMs.