Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Cloud Security

Google Cloud Unveils Confidential VMs Powered by AMD EPYC Processors

Google on Tuesday unveiled a new Google Cloud product designed to help organizations protect sensitive data while it’s being processed.

Google on Tuesday unveiled a new Google Cloud product designed to help organizations protect sensitive data while it’s being processed.

Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat and others last year announced the launch of the Confidential Computing Consortium, an organization of the Linux Foundation whose goal is to improve the security of data in use.

Google on Tuesday unveiled the first product in its Google Cloud Confidential Computing portfolio: Confidential VMs. Currently in beta for Google Compute Engine, Confidential VMs are designed to help organizations, particularly ones in regulated industries, protect sensitive data by providing memory encryption capabilities that can be leveraged to isolate cloud workloads.

The tech giant says it has been focusing on making confidential computing easy and accessible since the launch of its Asylo open source framework in 2018, and with the launch of Confidential VMs it believes it has achieved this goal.

Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature in 2nd Gen AMD EPYC processors to ensure that sensitive data remains encrypted at all times, including while it’s used, queried or indexed.

Google Cloud Confidential Computing builds on the protections provided by Shielded VM, a hardened virtual machine instance that ensures a verified bootloader and kernel run on startup, providing protection against malicious guest OS firmware, boot and kernel vulnerabilities, and malicious insiders.

“Confidential Computing can unlock computing scenarios that have previously not been possible. Organizations will now be able to share confidential data sets and collaborate on research in the cloud, all while preserving confidentiality,” Google explained.

The company noted that Google Cloud Platform users can easily move their current workloads to a Confidential VM, simply by ticking a checkbox.

Advertisement. Scroll to continue reading.

“Using the AMD SEV feature, Confidential VMs offer high performance for the most demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor. These keys are generated by the AMD Secure Processor during VM creation and reside solely within it, making them unavailable to Google or to any VMs running on the host,” Google said.

AMD told SecurityWeek that SEV has continued to evolve since its launch a few years ago to enable more secure functions for modern datacenters. The 2nd Gen EPYC CPUs provide up to 509 unique encryption keys known only to the processor, compared to only 16 unique keys provided by the 1st Gen EPYC processors. The company says this feature is only available on AMD processors.

AMD says its EPYC processors support a variety of cloud workloads, including general purpose, memory bound, compute-intensive and virtual desktop infrastructure (VDI). These processors are used not only by Google Cloud, but also Amazon Web Services (AWS), Microsoft Azure, Oracle Cloud Infrastructure, and IBM Cloud.

Related: IBM Releases Open Source Toolkits for Processing Data While Encrypted

Related: Microsoft, Google Announce Wider Availability of Secure VMs

Related: Google Offering Higher Bonuses for Cloud Platform Vulnerabilities

Related: Many New Security Features, Services Added to Google Cloud

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.