admin Google Cloud today declared Confidential VMs at its virtual Cloud Next ’20 event, a new type of virtual machine that makes use of the company’s work around confidential computing to ensure that data isn’t just encrypted at rest but also while it is in memory.
The company said in today’s declaration, “We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure”, “Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”
Confidential VMs make use of AMD’s Secure Encrypted Virtualization feature, available in its second-generation EPYC CPUs in the backend. The data will stay encrypted when used and the encryption keys to make this happen are automatically generated in hardware and can’t be exported with that, also Google doesn’t have access to the keys either.
Developers who want to change their existing VMs to a Confidential VM can do so with just a few clicks. Google records that it built Confidential VMs on top of its Shielded VMs, which already gives protection against rootkits and other exploits.
Raghu Nambiar, corporate vice president, Data Center Ecosystem, AMD said, “With built-in secure encrypted virtualization, 2nd Gen AMD EPYC processors provide an innovative hardware-based security feature that helps secure data in a virtualized environment”, “For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to help customers both secure their data and achieve performance of their workloads.”
At last it’s given that the extra encryption and decryption steps do incur at least a minor performance penalty. Google states it worked with AMD and developed new open-source drivers to ensure that “the performance metrics of Confidential VMs are close to those of non-confidential VMs.” At least according to the benchmarks Google itself has disclosed so far, both startup times and memory read and throughput performance are virtually the same for regular VMs and Confidential VMs.
Magazine 
