New Google Cloud tech gives users control of data confidentiality

Confidential computing encrypts data in use as it's being processed and keeps that data encrypted in memory and elsewhere outside the CPU.

Google Cloud

Image: Dongyu Xu / Getty Images

Google Cloud just launched a new technology that encrypts data while it's being processed: Confidential computing, which also keeps data encrypted in memory, as well as outside the central processing unit (CPU). Google Cloud users can now control the confidentiality of their data. 

This marks the next step up from Google Cloud's existing data encryption while at-rest and in-transit. Google Cloud employed several isolation and sandboxing techniques to maintain the security of multi-tenant architecture. 

The debut of the beta version

The beta version of confidential virtual machines (VMs) is the initial product in Google Cloud's confidential computing portfolio, and, the company assures, is the "first major cloud provider" with a significant level of security and isolation. Confidential VMs allow users to further isolate workloads in the cloud through memory encryption. 

In addition to the value confidential VMs hold for the protection of sensitive data, Google Cloud noted it will be of interest to regulated industries.

SEE: Cloud Computing Policy (TechRepublic Premium)

Designed to be easy to deploy and use, the confidential computing environments began with the open-source framework, Asylo, which also delivers high performance and works for any size workloads that are run in the cloud. 

The Google Cloud approach

New to confidential VMs are uncomplicated options and "life and shift" applications. In a recent release, Google Cloud described its approach:

Breakthrough confidentiality: Even while processing, customers can protect the confidentiality of sensitive data. Data remains encrypted while in use, indexed, queried, or trained on. Generated in hardware, and per VM, encryption keys are not exportable. The Secure Encrypted Virtualization (SEV) feature of the second generation AMD (Advanced Micro Devices) EPYCTM (brand of AMD x86-64 microprocessors) CPUs are leveraged by confidential VMs. 

Enhanced innovation: Businesses can share confidential data sets, as well as collaborate in the cloud and still maintain confidentiality. 

Confidentiality for lift-and-shift workloads: All Google Cloud Platform workloads that run in VMs will also be able to run as a confidential VM.

Protection against advanced threats: The integrity of a customer's operating system is ensured as it uses the protections shielded VMs offer against rootkit and bootkits.

Confidential VMs' backstory

Confidential VMs offer hardware-based inline memory encryption with a dedicated per-VM instance key, managed and generated by the AMD EPYC processors. The confidential VMs' OS image is hardened and the integrity of firmware, kernel binaries, and drivers are verified through Shielded VMs. 

The AMD Cloud Solution engineering team ensures the VMs' memory encryption will not interfere with workload performance. To handle storage and network traffic with higher throughput than previous protocols, Google Cloud added support for new OSS drivers (NVMe and gVNIC); these additions confirm performance metrics of Confidential VMs, in line with non-confidential VMs.

"With built-in secure encrypted virtualization, 2 Gen AMD EPYC processors provide an innovative hardware-based security feature that helps secure data in a virtualized environment," said Raghu Nambiar, corporate vice president, data center ecosystem, AMD, in a press release. 

In addition to the maintenance of privacy, organizations can collaborate without compromising the confidentiality of data sets, potentially resulting in new transformational technologies and ideas. 

Also see 

By N.F. Mendoza

N.F. Mendoza is a writer at TechRepublic and based in Los Angeles. She has a BA in Broadcast Journalism and Cinema Critical Studies and a Master's of Professional Writing, both from USC. Nadine has more than 20 years experience as a journalist coveri...