Confidential Computing keeps data encrypted in memory, and elsewhere outside the CPU, while it is being processed, all without needing any code changes to applications.
Right now, clients who entrust their data to rented cloud infrastructure face some vulnerabilities in this cloud storage. Enterprises need a way to process data privately to prevent unauthorized access and security loopholes, but it hasn’t been possible.
With everyone moving to the cloud, these security loopholes are becoming more obvious. Companies are loading data for processing, leaving it more open than when it’s at rest. Confidential virtual machines offer cryptographic isolation, a much stronger security option than any previous protections.
See also: Cloud Security: A Primer
The new feature is built on a foundation of second-generation AMD EPYC processors. The encryption keys stay on the chip, encrypting a customer’s virtual machines even from Google and opening data inside a walled garden only the client has access to. This access allows clients to process data while keeping it encrypted and safe from potential prying eyes.
This month, AMD announced new Confidential virtual machines on the existing N2D and C2D VMs on Google Cloud, all powered by AMD EPYC processors. These VMs extend the AMD EPYC processor portfolio of Confidential Computing on Google Cloud with the performance of 3rd Gen EPYC processors in compute-optimized VMs.
One step closer to protecting cloud data in use
Encryption on-chip reduces the amount of time data spends in general decryption. No one but the client retains access to encryption keys. Even if threat actors break into a virtual machine, they aren’t able to see decrypted data without that key.
Detractors wonder if the chip could present a single point of failure, considering other types of specialized chips still fell to vulnerabilities. However, Google’s focus remains on making access as simple as possible for customers to turn on—right now, it’s a simple checkbox that clients click to create the virtual machine.
According to Google, it’s the first feature in its Confidential Programming Portfolio. It’s part of a move to make encryption accessible and automatic across Google Cloud Services. For some, potential risks within the hardware itself are a deal breaker, but for others, any step to protect sensitive data stored in the cloud is welcome.