AMD and Google announced their new collaboration via the beta availability of Confidential Virtual Machines or VMs, on Google Compute Engine. Powered by 2nd Gen AMD EPYC Processors, the Google Compute Engine fully utilizes the advantage over the security offerings from the processor.
According to Google further, Google Cloud encrypts data at-rest and in-transit, however the data must be decrypted for processing. This is where Confidential Computing plays its role. It is a breakthrough technology that encrypts data in-use-while it is being processed. Confidential computing requires the encrypted data in the memory and, other than the central processing unit, CPU. Confidential VMs offers end users with high performance processing to meet most demanding computational tasks and enabling the data encryption for the sensitive data in the cloud while it is being processed.
According to Dan McNamara, “As enterprises migrate tasks to the cloud for reasons, including the ease of management, scalability and reduced costs, they often stop short of moving more sensitive workloads due to security concerns“, he further adds, “To help provide the confidence that customers can move their sensitive workloads to the cloud, AMD and Google worked together on the Google Confidential VMs to take advantage of an advanced security feature, Secure Encrypted Virtualization, within AMD EPYC processors. This helps enable a unified and consistent level of hardware-based security for applications and workloads in the cloud. As well, AMD and Google have worked together to help customers both secure their data and achieve high performance of their workloads.
Now, let’s look into the features provided by Google’s Confidential VMs:
Real time encryption-in-use: Google Cloud customers can encrypt data-in-use, taking advantage of advanced security features offered by the 2nd Gen AMD EPYC CPUs.
Secure Encrypted Virtualization (SEV): An advanced security feature available on AMD EPYC processors, which encrypts VM memory using a dedicated per-VM key that is generated and managed by the embedded security processor. The data will be remain encrypted throughout the process of indexed, queried or trained on. Encryption keys are generated in the hardware, per VM and not exportable.
“Lift and Shift Confidentiality“: AMD and Google have simplified the use of Confidential Computing, making the transition to Confidential VMs seamless as customers do not need to make any code changes to their applications to benefit from these VMs.
High-performance VMS: Confidential VMs offer similar performance to Google N2D VMs, which are powered by high-performance 2nd Gen AMD EPYC processors.
Google also adds protection against the advanced threats feature in Confidential Computing. It builds on the protections Shielded VMs by providing security against rootkits and bootkits, helping to ensure the integrity of the preferred operating system to run in Confidential VM.
Confidential VMs run on N2D series VMS powered by 2nd Gen AMD EPYC processors.By using AMD’s SEV feature, the Confidential VMs offer a peak performance to meet the rising in demand computational tasks, while retaining the VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor. These keys are generated by the AMD Secure Processor during VM creation and reside solely in it, enabling them to be invisible to Google or any VMs that currently running on the host.
In addition, Google offers operating system images, including Ubuntu v18.04, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2 via Confidential VMs on top of Shielded VMs to harden the OS images by verifying the integrity of your firmware, kernel binaries and drivers for extra protection.
According to Raghu Nambiar, “With built-in secure encrypted virtualization, 2nd Gen AMD EPYC processors provide an innovative hardware-based security feature that helps to secure data in a virtualized envrionment“, “For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to helps customers both secure their data and achieve performance of their workloads. We’re thrilled to see the Confidential VMs demonstrate similar levels of high performance, for various workloads, as the standard N2D VMs“.
AMD EPYC processor powers more than 120 VM types from cloud providers and hosts around the world that provide support to a variety of workloads, including high-performance to meet the most demanding requirements from the customer. Confidential VMs are available to all GCP customers in the following GCP regions, asia-southeast1, europe-west1, europe-west4, us-central1 and are available for Google Compute Engine in Beta.