Google Cloud launches Confidential VMs to woo regulated industries to the cloud

Google offering memory encryption for legacy and newly-built cloud applications

Google Cloud is launching a new suite of security-focused products to persuade cloud-shy organisations to migrate sensitive data to the cloud.

Heavily-regulated industries such as financial, insurance, or pharmaceutical firms have been reluctant to go all-in on cloud due to strict security and compliance requirements about how sensitive data is stored.

Such companies typically operate a hybrid architecture, keeping crown jewels on-premises while leveraging the cost and performance benefits of cloud for less sensitive assets.

Google, which trails rivals Microsoft and Amazon in the cloud market, believes these customers can be wooed cloud-wards with “Confidential Computing”, a new technology that encrypts data while it is being processed. In other words, in-memory and anywhere outside of the CPU.

At its virtual Google Cloud Next conference this week, the tech giant announced a new range of Confidential Computing products and the portfolio’s debut product, Confidential VMs.

“At Google, we believe the future of cloud computing will increasingly shift to private, encrypted services that give users confidence that they are always in control over the confidentiality of their data,” said Google Cloud experts in a blog post published after the event.

Confidential VMs

As the name suggests, the first product in Google’s Confidential Computing portfolio will provide memory encryption to any virtual machine, whether they are newly-built or legacy “lift and shift” applications.

“All GCP workloads you run in VMs today can run as a Confidential VM. One checkbox—it’s that simple,” said Google.

In-memory encryption is achieved at the hardware level, with both Intel and AMD offering silicon-based solutions that generate dedicated encryption keys.

In the end, Google opted to run Confidential VMs on AMD’s second-generation Epyc processors, preferring AMD’s Secure Encrypted Virtualization (SEV) encryption to Intel’s Software Guard Extensions (SGX). SEV offered better performance and scalability over SGX, Google said.

AMD’s Epyc processors generate and manage instance keys during VM creation and are unavailable to Google or any other VMs running on the host.

“We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure,” Google explained.

“Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.”

Google also announced a new cloud service to help public sector organisations meet security and compliance requirements.

Assured Workloads enables customers to select the region where data is stored and filter Google support staff based on background checks or citizenship. It will be initially available in the US, where it will be released this autumn.