On Oct. 2, Google announced several new entries in its portfolio of VM services for enterprise clouds.
The tech giant’s Confidential VMs use hardware-based encryption to secure data and applications, ensuring they cannot be tampered with. Google provides several Confidential VM products and services.
“The ability to encrypt data anywhere helps to alleviate concerns about third-party access to data, removing cloud adoption barriers, and, by removing these barriers, allows IT teams and developers to realign their focus to other business priorities,” said Sam Lugani, Google Cloud’s product lead for Confidential Computing & Confidential AI, in an email to TechRepublic.
Pricing for Confidential VMs depends on the plan. Confidential VMs must be used in tandem with a Google Compute Engine plan.
Security enhancements rolled out for virtual machines
Several new enhancements for Google Cloud’s confidential computing were released today to provide more options for keeping data secure while it is in use:
- Confidential machines have been added to the C3D machine series, and include AMD’s Secure Encrypted Virtualization technology. These machines represent an expansion of confidential VM availability from the general purpose N2D and C2D machine series to the more security-focused C3D machine series. Specifically, C3D machine series instances with AMD Secure Encrypted Virtualization isolate the guest accounts and the hypervisor from one another, protecting data while it is in use. C3D VMs range in size from 4 to 360 vCPUs and can hold up to 2,880 GB of memory in supported configurations. All geographic regions and zones supporting the C3D machine series have access to Confidential VMs with AMD SEV.
- Confidential machines on the C3 machine series are now available with Intel’s TDX technology. Intel TDX provides hardware-based trusted execution environments for data integrity, confidentiality, and authenticity. In addition, all C3 VMs have Intel’s Advanced Matrix Extensions: instruction set architecture extensions that support common AI and ML operations. Intel TDX on C3 machines is available in the asia-southeast1, us-central1, and europe-west4 Google Cloud regions.
- Google Cloud expanded the availability of AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) on the N2D virtual machine series. This adds data integrity and hardware-rooted attestation to a previous AMD product, which offered data confidentiality. SEV-SNP is particularly effective against potential cyber attacks originating from the hypervisor, such as data replay and memory remapping. The regional availability is asia-southeast1, us-central1, europe-west3, and europe-west4.
Google Cloud also added signed launch measurements to UEFI binaries, bringing an additional layer of verification to the firmware running on confidential VMs with AMD SEV-SNP.
SEE: Earlier this month, Google Cloud’s backup and recovery services unveiled a preview of immutable data vaults.
“Businesses are looking to build trust with customers and partners by ensuring data privacy and security, especially as they leverage AI for competitive advantage,” Lugani wrote. “Some organizations still view applications and the data they use as separate entities. However, the reality is that data profoundly influences AI models, and it’s integral that this data stays secure and private.”
Confidential VM with AMD SEV comes to Google Cloud attestation
Google Cloud attestation provides a method of verifying that confidential VMs are operating as expected, and is an alternative to running an attestation verifier on top of a Google Cloud VM. Google Cloud attestation is available for instances running Confidential VM with AMD SEV.
“This capability applies to Confidential GKE as well and saves customers time and resources vs using a 3rd party attestation service or developing an attestation verifier themselves,” Lugani noted.
“Confidential Computing has emerged as a crucial enabler for a range of cutting-edge use cases, including the trustworthy deployment of AI,” said Steve Van Lare, vice president of engineering at Anjuna Security, a Google Cloud customer, in a press release. “The streamlined user experience of our joint solution, including full hardware attestation, is poised to ease customer adoption, as evidenced by the strong response we are experiencing from prospective customers.”