Confidential virtual machines improve cloud data security

Confidential Computing keeps data encrypted in memory and elsewhere outside of the CPU as it is processed, all without requiring any code changes to applications.

Currently, customers who entrust their data to rented cloud infrastructure are facing some vulnerabilities in this cloud storage. Businesses needed a way to handle data privately to prevent unauthorized access and security loopholes, but that was not possible.

With everyone moving to the cloud, these security loopholes are becoming more apparent. Businesses load data in for processing, leaving them more open than when they are at rest. Confidential virtual machines provide cryptographic isolation, a much stronger security option than previous protections.

Also see: Cloud security: a first

The new feature is built on a foundation of second-generation AMD EPYC processors. The encryption keys remain on the chip, encrypting a customer’s virtual machines, even Google’s, and opening data in a walled garden that only the customer can access. This access allows customers to process data while remaining encrypted and protected from potential prying eyes.

This month, AMD announced new confidential virtual machines on its existing N2D and C2D VMs on Google Cloud, all powered by AMD EPYC processors. These VMs extend the AMD EPYC processor portfolio of Confidential Computing on Google Cloud with the performance of 3rd Gen EPYC processors in compute-optimized VMs.

Also see: 2022 Cloud Computing Threats and Cybersecurity Trends

One step closer to protecting cloud data in use

On-chip encryption reduces the amount of time data spends on general decryption. No one other than the customer retains access to encryption keys. Even if threat actors break into a virtual machine, they cannot see decrypted data without that key.

Opponents question whether the chip could be a single point of failure, as other types of specialized chips are still vulnerable. However, Google’s focus remains on making access as easy as possible for customers to enable – right now it’s a simple checkbox that customers click to create the virtual machine.

According to Google, it is the first feature in its Confidential Programming Portfolio. It’s part of a step to make encryption accessible and automatic for Google Cloud Services. For some, potential risks within the hardware itself are a deal breaker, but for others, any step to protect sensitive data stored in the cloud is welcome.

Leave a Comment