At Google, we believe that cloud computing in the future will increasingly move towards private, encrypted services that give users total confidence in data privacy.
Google Cloud already encrypts customer data in transit and at rest, but it still needs to be decrypted to be processed. Confidential computing is a revolutionary technology used to encrypt data as it is processed. Confidential computing environments allow encrypted data to be stored in RAM and other locations outside of the processor (CPU).
Confidential VMs are currently in beta testing and are also the first product in the Google Cloud Confidential Computing line. We are already implementing various isolation and sandboxing techniques in our cloud infrastructure to secure the multi-tenant architecture. Confidential VMs take security to the next level by offering in-memory encryption to further isolate their workloads in the cloud, helping our customers protect sensitive data. We think that this will be of particular interest to those who work in regulated industries (maybe it's about the GDPR and other related things, approx. translator).
Opening up new possibilities
Already with Asylo, an open source platform for confidential computing, we have focused on making confidential computing environments easy to deploy and use, offering high performance and applications for any workload you choose to run in the cloud. We believe that you should not compromise on usability, flexibility, performance and security.
With Confidential VMs moving into beta, we are the first major cloud service provider to offer this level of security and isolation - and provide customers with a simple and easy-to-use option, both for new applications and "ported" ones (probably talking about applications that can be run in the cloud without significant changes, approx. translator). We provide:
-
Unparalleled privacy: Customers can protect the privacy of their sensitive data in the cloud, even while it is being processed. Confidential VMs use the Secure Encrypted Virtualization (SEV) feature of the second generation of AMD EPYC processors. Your data remains encrypted during use, indexing, querying, and learning. Encryption keys are generated on the hardware for each virtual machine and never leave the hardware.
-
Improved innovation: confidential computing can open up processing scenarios that were previously impossible. Companies can now share sensitive datasets and collaborate on research in the cloud while maintaining privacy.
-
Privacy for Ported Workloads: Our goal is to simplify confidential computing. Migration to Confidential VMs is seamless - all GCP workloads running in virtual machines can migrate to Confidential VMs. It's simple - just put one "tick".
-
Advanced Threat Protection: confidential computing builds on protecting Shielded VMs against rootkits and bootkits, helping to ensure the integrity of the operating system chosen to run in the Confidential VM.
Basics of Confidential VMs
Confidential VMs run on N2D virtual machines that run on second generation AMD EPYC processors. The AMD SEV feature delivers high performance for most demanding computing tasks while keeping virtual machine RAM encrypted with a per-VM key generated and managed by the EPYC processor. The keys are generated by the AMD Secure Processor when the virtual machine is created and reside exclusively within the virtual machine, making them inaccessible to both Google and other virtual machines running on the same host.
In addition to built-in hardware-based RAM encryption, we build Confidential VMs on top of Shielded VMs to provide resistance to operating system image hacks, verify the integrity of firmware, kernel binaries, and drivers. Images offered by Google include Ubuntu 18.04, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2. We are working on Centos, Debian and others to offer other OS images.
We also work closely with the AMD Cloud Solution engineering team to ensure performance is not impacted by encrypting VM memory. We have added support for new OSS drivers (nvme and gvnic) to handle storage subsystem requests and network traffic at a higher throughput than older protocols. This allowed us to make sure that the performance indicators of Confidential VMs are close to those for ordinary virtual machines.
Built into the second generation of AMD EPYC processors, Secure Encrypted Virtualization provides an innovative hardware-based security feature to help protect data in a virtualized environment. To support the new GCE Confidential VMs N2D, we worked with Google to help customers secure their data and ensure the performance of their workloads. We are very pleased to see that Confidential VMs are showing the same level of high performance across workloads as typical N2D VMs.
Raghu Nambiar, Vice President, Data Center Ecosystem, AMD
Game-changing technology
Confidential computing can help change the way corporate data is handled in the cloud while maintaining privacy and security. Also, among other benefits, companies will be able to work together without compromising the secrecy of datasets. Such collaborations, in turn, can lead to the development of even more transformative technologies and ideas, for example, the possibility of rapidly creating vaccines and curing diseases as a result of such secure collaboration.
We can't wait to see the opportunities this technology opens up for your company. See to find out more.
PS Not the first and hopefully not the last time Google rolls out technology that changes the world. As it was with Kubernetes quite recently. We support and distribute Goggle technologies to the best of our ability β we train IT specialists in Russia. Our company is one of 3 Kubernetes Certified Service Provider and the only Kubernetes Training Partner in Russia. Therefore, every spring and autumn we hold Kubernetes training intensives. The next intensives will be held on September 28-30 and October 14β16 .
Source: habr.com