Google Cloud introduces Confidential VMs for enhanced security

Get a free Techzine subscription!

Google Cloud has introduced two security solutions, Confidential VMs and Assured Workloads for Government. These solutions aim to improve the protection of sensitive data, especially from public organisations, within (public) cloud environments.

According to Google Cloud, the new solutions are primarily designed for market sectors where it is of the utmost importance that all data remains confidential. These include government, healthcare and financial services. These sectors have the strictest security requirements for this data, also for public cloud environments.

The newly released solutions ensure that Google Cloud can meet these requirements. The solutions are a structural part of the well-known public cloud environments and are not just services that run on this environment.

Confindential VMs

One of the security solutions concerns Confidential VMs. Confidential Computing encrypts actively used data while it is being processed. Within Confidential Computing environments, the data remains encrypted both inside the memory and outside the CPU in use. The public cloud environment already encrypts ‘data at rest’ and ‘in transit’, but Confidential VMs now also provide memory encryption to keep the various workloads isolated.

Collaboration with AMD

The newly released solution in beta is a combination of Google software and the hardware of the chip manufacturer AMD. The primary focus has been on whether memory encryption has little influence on the performance of the workloads. It turned out that the Confidential VMs were almost the same as those of traditional non-confidential VMs.

Confidential VMs use Secure Encrypted Virtualization (SEV) technology supported by the recent second-generation AMD Epyc CPUs. The data remains encrypted when it is used, indexed, queried or trained. The encryption keys are created in the hardware by the VM and cannot be exported.

In this way, customers do not have to completely redesign their applications to take advantage of the benefits of Confidential VMs. All current Google Cloud Platform (GCP) workloads already running in VM can also run as Confidential VMs. Customers only need to enable the option.

Longer process

Google has been working for some time on improving securing data in VMs. The predecessor Shielded VMs, VMs that are protected with security measures against rootkits and bootkits, have become a standard option for GCP customers since the beginning of this year. This will probably also apply to Confidential VMs.

Google Cloud is also a participant in the Confidential Computing Consortium (CCC). This project was founded last year by the Linux Foundation. Other major cloud players are also involved, such as Microsoft, IBM, Alibaba and chip manufacturer Intel.

Assured Workloads for Government

The secondary security tool introduced by Google Cloud is Assured Workloads for Government. This compliance solution now focuses entirely on data compliance obligations for governments in the United States.

It allows governments to configure their workloads to meet the most demanding compliance requirements. As a result, the workloads no longer need to be placed in a special ‘government silo’ in a public cloud environment. These special environments often do not have all the functionality that a public cloud, like Google Cloud, can provide.

The solution makes this separate environment redundant and ensures that U.S. governments can now ‘simply’ place their workloads in Google Cloud, but still meet the strictest compliance requirements.