Google has always believed in abiding by its users’ confidentiality concerns and rights. However, when it comes to data in its cloud, Google found its customers worrisome with the company’s confidentiality quotient. How can someone be confident about something they cannot see? To answer this, the technology giant launched its Confidential Computing Portfolio in an attempt to ensure data security. The first offering of Google Cloud’s Confidential Computing Portfolio – Confidential VMs – was launched in July 2020 as a beta. Google Cloud has now taken a step ahead and expanded its portfolio by introducing the beta version of the Confidential Google Kubernetes Engine (GKE) Nodes and made the previously launched beta of Confidential VMs generally available.
- Confidential GKE Nodes is the second product in Google Cloud Confidential Computing portfolio and will enable users to configure and run the entire GKE cluster using Confidential node pool. The GKE cluster will support all existing GKE features utilizing hardware memory encryption with AMD SEV hardware, leveraging Confidential VMs capability underneath.
- Confidential VMs will become generally available soon and will include new product updates, including audit reports, new Identity and Access Management (IAM) tools, integrations with other enforcement mechanisms and vTPM support.
Making the Container Workloads Confidential
Google has notably seen its customers modernizing their existing applications and build cloud-native ones whose foundation is based on GKE. Thus, Google thought of delivering a new level of confidentiality and portability for containerized workloads. Google Cloud Confidential GKE Nodes are built on the same foundation as Confidential VMs. It allows users to keep their data encrypted in memory with a dedicated node-specific key that is generated and managed by the AMD EPYC processor.
Confidential GKE Nodes enable users to configure their GKE cluster to only deploy node pools with Confidential VM capabilities underneath. Google Cloud explains, “Clusters with Confidential GKE Nodes enabled will automatically enforce the use of Confidential VMs for all your worker nodes. GKE Confidential Nodes will use hardware memory encryption powered by the AMD Secure Encrypted Virtualization feature used by AMD EPYC™ processors, which means that your workloads running on the confidential nodes will be encrypted in-use. “
Making Confidential VMs Generally Available
Google Cloud already employs multiple isolation and sandboxing techniques as part of their cloud infrastructure and architecture security. However, with Confidential VMs, users can now protect the confidentiality of their most sensitive data in the cloud even while it is being processed. Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of 2nd Gen AMD EPYC™ CPUs. With this technology adoption, the users’ data stays encrypted while it is being used, indexed, queried, or trained on.
Google has also reportedly worked closely with the AMD Cloud Solution engineering team to ensure that the VM’s memory encryption does not interfere with its performance metrics and instead match up with those of the non-confidential VMs.
With features such as real-time encryption, lift and shift confidentiality, detection of APT attacks, and optimized performance, the possibility of expansion of Confidential Computing technology has broadened.