Google Cloud, at a Google Cloud Next 2020 Online event, announced it is making available in beta Confidential VMs, a new service that represents the cloud service provider’s first foray into the realm of confidential computing.
Based on second-generation EPYC processors from AMD that provide access to an embedded Secure Encrypted Virtualization (SEV) capability, Confidential VMs encrypt data while it is being processed.
At the same time. Google unfurled Assured Workloads for Government, a service also in beta through which the company will ensure workloads are run in a specific location to meet government requirements.
Sunil Potti, general manager and vice president of cloud security for Google Cloud, said Confidential VMs will complement existing secure cloud computing services that already isolate workloads and encrypt data at rest. Google has also invested in creating a zero-trust security model dubbed BeyondCorp that ensures access controls are strictly enforced, he noted.
Google Cloud is following Microsoft Azure into the realm of confidential computing, which is being enabled by new classes of processors from AMD and Intel. Both Microsoft and Google Cloud are founding members of the Confidential Computing Consortium, an arm of The Linux Foundation which also includes Alibaba, ARM, Baidu, IBM, Intel, Red Hat, Swisscom and Tencent.
Amazon Web Services (AWS) has yet to join the consortium or outline its approach to confidential computing. It already offers Nitro Enclaves through which it isolates compute environments to securely process sensitive data within their Amazon EC2 instances. Nitro Enclaves is based on the Nitro Hypervisor technology that AWS developed to provide CPU and memory isolation for EC2 instances. AWS for several years now has been making a case for “encrypt everything,” which has yet to become the default setting in most IT environments.
It’s not clear to what degree IT organizations will embrace confidential computing services. There’s a clear need to secure data. However, many organizations may decide that paying extra to encrypt data while it’s processing may be one extra layer of security too many. There will always be financial services firms and government agencies that will prefer to encrypt data on an end-to-end basis. However, many organizations will be weighing the security benefit of those services against the cost and potential impact processing encrypted data in memory might have on applications.
It’s also now only a matter of time before servers configured with processors that support the processing of data become available in on-premises IT environments. Many IT teams may decide that because of compliance requirements sensitive data still needs to processed within an on-premises data center.
Of course, cloud security concerns go well beyond merely how data is encrypted. Most often, the biggest issues when it comes to cloud security is misconfigurations. Encrypting data might render any data inadvertently exposed useless. However, IT teams are just now coming to terms with best DevSecOps processes. Confidential computing services may have a role to play in enabling IT teams to achieve that goal, but it may be a while before the processors on which confidential computing depends are employed widely across an extended enterprise.