Google Cloud wants to convince organizations to move their most sensitive data to the cloud with its new Confidential Virtual Machines product, and it’s relying on a silicon-level security feature within AMD’s second-generation EPYC processors to make it a reality.
The Mountain View, Calif.-based cloud provider announced Confidential VMs Tuesday at the virtual Google Cloud Next conference as the first product in its new Confidential Computing portfolio that encrypts data in memory and elsewhere outside the CPU.
The beta launch of Confidential VMs makes Google Cloud “the first major cloud provider to offer this level of security and isolation while giving customers a simple, easy-to-use option for newly built as well as ‘lift and shift’ applications,” according to the vendor. Key to this ease-of-use is a checkbox in the user interface that allows customers to seamlessly transition existing Google Cloud workloads.
While methods have existed to secure data in storage and in transit, protecting that same data while it’s being processed in memory has been a bigger challenge that has only seen the introduction of hardware-based solutions in the last few years, namely Intel’s Software Guard Extensions (SGX), which debuted in 2015, and AMD’s Secure Encrypted Virtualization (SEV), which debuted in 2017.
Nelly Porter, a lead product manager at Google Cloud, told CRN that ease of use, low performance impact and scalability are paramount to pushing adoption of Confidential VMs, which are the main reasons why the cloud provider decided to go with AMD SEV over Intel SGX.
The way AMD SEV was designed, according to Porter, customers don’t have to worry about redesigning or tweaking any of their applications to move them to Confidential VMs.
“The beauty of this idea: the customers don’t need to change anything,” she said. “Every application that they ran before in normal VMs will continue running in Confidential VMs.”
Confidential VMs are based on Google Cloud’s N2D series instances that run on AMD’s second-generation EPYC processors, all of which come with an expanded version of SEV that supports 509 encryption keys that are generated by the processors’ Arm-based secure co-processor.
With the co-processor’s key manager generating the VM encryption keys, neither Google Cloud or any VMs running on the hypervisor can access them, according to Porter, which is crucial to gaining the trust of organizations that want to move confidential and sensitive data to the cloud.
“This means nobody, not AMD, neither Google have access to those keys,” she said.
Based on testing by Google Cloud, the use of SEV only has a 2-6 percent performance impact depending on the workload, according to Porter, which allowed the company to meet its goal of not having an impact that exceeded 10 percent. Greg Gibby, a senior product manager at AMD, said the minimal impact is made possible by implementing an AES-128 encryption engine in each memory controller of the CPU.
As for why Google Cloud didn’t go with Intel SGX, Porter said it was a matter of the availability of processors supporting the feature as well as the complexity associated with adapting applications for the technology.
Porter said Intel SGX can be a “very useful tool for very dedicated and specific workloads,” such as protecting encryption keys, reviewing SSL and TLS connections and signing certificate requests for a certificate authority.” But the technology comes with a “significant price” associated with a need to redesign applications for Intel SGX enclaves, and the performance impact is significant, she added.
Intel SGX also isn’t widely enabled in Xeon processors, namely the company’s Xeon Scalable server lineup, Porter said, which means that Google Cloud would need to use Intel’s Xeon workstation processors to use SGX, limiting scalability. Intel said earlier this year that it plans to extend SGX to a “broader line of mainstream server platforms, with larger protected enclaves.”
“From our perspective, for the workloads we’re trying to enable, for use of use that we’re looking at and performance penalty,’ to tell customers [they] have to pay based on those three things, Intel SGX was an interesting idea, and we continue to look and work with Intel on that, but it’s not yet applicable to the workloads and scale that we’re looking at,” she said.
An Intel spokesperson said health care, finance, industry and government customers use Intel SGX, which “was the first hardware-based [Trusted Execution Environment] and is the only hardware security technology with attestation built in.”
“Customers control the use of their data and where it resides, which is accelerating multi-cloud usages,” the spokesperson said in a statement to CRN. “We continue to expand to a broader range of mainstream data-centric platforms and expect to extend future security protections to balance accelerator workloads and improve performance.”
Kent Tibbils, vice president of marketing at ASI, a Fremont, Calif.-based Intel distributor that also sells AMD components, said it’s not surprising to see AMD gain new cloud wins like it has with Google Cloud since it has been back in the market for three years now.
“Obviously AMD has a good product, they have some good features, and they came out with some things with their processor that Intel didn’t have at the time,” he said.
With the coronavirus pandemic forcing many people to continue to work from home and increasing a demand for cloud services, it’s good news for the channel that AMD and Intel both continue to push out new innovations around security, according to Tibbils.
“It does help to have AMD and Intel pushing each other back and forth on these different features, so it’s not just core counts and processor gigahertz,” he said. “It’s nice to see them looking in different areas and going broader with the kind of features they can put into the processors and the value they deliver.”