Google Cloud unveils new features to enhance security and compliance for sensitive data

Confidential VMs and Assured Workloads for Government are both designed for highly regulated and security-sensitive industries.

Google Cloud

Image: Dongyu Xu / Getty Images

Google Cloud is introducing two new capabilities aimed at organizations struggling to ensure the security and regulatory compliance of data stored in the cloud. Announced on Tuesday, the two features are Confidential VMs and Assured Workloads for Government, both of which aim to simplify and strengthen the security management of cloud-based data, especially for industries that have to grapple with tight compliance regulations.

SEE: Top cloud providers in 2020: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players (TechRepublic) 

Confidential VMs

One challenge faced by organizations moving their infrastructure to the cloud is how to process sensitive data while at the same time keeping it secure and private. Currently, Google Cloud encrypts data while at rest and in transit, but that data must be decrypted to be processed. Confidential Computing is a new technology that can encrypt data as it is being processed, including while it's in memory and elsewhere outside the CPU.

Currently in beta mode, Confidential VMs is the first product in Google's Confidential Computing lineup, one that uses memory encryption to isolate cloud-based operations and workloads. Though Confidential VMs will be available to any organizations, Google said it's particularly interesting for those in highly regulated industries.

Google touted the following features and benefits possible with Confidential VMs:

  • Breakthrough confidentiality. Customers will be able to protect the confidentiality of sensitive cloud-based even while it's being processed. Data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and are not exportable.
  • Enhanced innovation. Confidential Computing will be able to unlock computing scenarios not previously possible, according to Google. Organizations will be able to share confidential data sets and collaborate on research in the cloud, all while preserving confidentiality.
  • Confidentiality for lift-and-shift workloads. Google's stated goal is to make Confidential Computing easy enough to manage. The transition to Confidential VMs should be seamless, the company said, as all GCP workloads run in VMs today can run as a Confidential VM.
  • Protection against advanced threats. Confidential Computing builds on the protections Shielded VMs offer against rootkits and bootkits, helping to ensure the integrity of the operating system in a Confidential VM.

Confidential VMs will run on N2D series VMs powered by 2nd Gen AMD EPYC processors. Using the AMD SEV feature, Confidential VMs will provide high performance for demanding computational tasks at the same time it encrypts VM memory with a dedicated per-VM instance key generated and managed by the AMD EPYC processor. As the keys are created by and reside in the AMD Secure Processor during VM creation, they're unavailable to Google or to any VMs running on the host.

"With built-in secure encrypted virtualization, 2nd Gen AMD EPYC processors provide an innovative hardware-based security feature that helps secure data in a virtualized environment," Raghu Nambiar, corporate vice president of data center ecosystem for AMD, said in a press release. "For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to help customers both secure their data and achieve performance of their workloads."

Assured Workloads for Government

Traditionally cloud providers that want to offer government agencies secure and regulatory-compliant technologies build dedicated "government clouds." But these types of clouds don't always offer the latest features found in more commercial clouds. Designed for the public sector, Assured Workloads for Government is an attempt to equip federal, state, and local government agencies with workloads that use the latest cloud capabilities but at the same time adhere to strict compliance.

Currently in Private Beta in the US, Assured Workloads for Government will let customers create controlled environments in which US data location and access controls are automatically enforced. With this capability, government customers, suppliers, and contractors will be able to meet the tight security and compliance standards set by the Department of Defense, the FBI's Criminal Justice Information Services Division (CJIS), and the Federal Risk and Authorization Management Program (FedRAMP), Google said. But these workloads will still provide the latest features available in the Google Cloud portfolio.

In describing Assured Workloads for Government, Google pointed to the following benefits:

  • Automatic enforcement of data location. Customers will be able to meet US government compliance requirements by choosing to store data at rest in US regions.
  • Personnel access. Currently, Google Cloud is unable to access customer data for any reasons other than in accordance with customer contracts. With Assured Workloads, customers will be able be able to limit access by Google support personnel based on predefined attributes such as citizenship, a particular geographical access location, and background checks.
  • Built-in security controls. The built-in controls will reduce the risk of accidental misconfigurations by letting customers choose from available platform security configurations.
  • Automatic enforcement of product deployment location. Customers will be able to restrict the deployment of new resources to specific Google Cloud regions based on Organization Policy.
  • Assured Workloads Support (coming in the fourth quarter). Customers will be able to receive Premium Support from a US person in a US location, 24/7, with 15-minute target SLOs (service level objectives) for P1 cases, to help meet compliance requirements. (This option will require the purchase of additional support services.)

Assured Workloads for Government will be more generally available this fall with beta features.

"Customers across all industries are navigating the complexities of compliance and privacy in the cloud, especially those in regulated industries, such as financial services firms, healthcare companies, and government agencies," Sunil Potti, general manager and VP of security at Google Cloud, said in a press release. "These companies want to adopt the latest cloud technologies, but strict requirements for data privacy or compliance are often barriers. Confidential VMs and Assured Workloads will help us better serve customers in these industries, so they can securely take advantage of the innovation of the cloud while also simplifying security operations."

Also see