Google announced today that it is making available confidential computing nodes that encrypt data while it is processing in beta on the managed Google Kubernetes Engine (GKE) service.
At the same time, Google revealed that a previously announced Confidential VMs service is now generally available. As part of that effort, the company is also making available auditing and policy control tools for Confidential VMs alongside tools to restrict access and share secrets between Confidential VM instances.
Confidential computing takes encryption beyond securing data at rest or in transit. Prior to the arrival of confidential computing, all data running in memory was accessible as clear text. Both AMD and Intel last year unveiled processor families that enabled data to be encrypted while running in memory.
That approach protects data from sophisticated attacks that might be launched by, for example, nation-states using infamous hacking tools such as the one the U.S. National Security Agency (NSA) lost control over; however, it also means IT personnel can no longer potentially see that data either. That can mitigate concerns about who is seeing what data, because of laws such as the Patriot Act in the U.S. Once a task is completed, data can be encrypted both in transit and at rest within a local data center as required. That’s critical for cloud service providers that need to be able to migrate workloads across a global network of data centers to maximize efficiency.
Confidential GKE Nodes are available in the 1.18 release of GKE, which can be configured to only deploy node pools with Confidential VM capabilities in a Kubernetes cluster. Those clusters will automatically enforce the use of Confidential VMs for all worker nodes using AMD EPYC processors that include an AMD Secure Encrypted Virtualization capability.
Nelly Porter, senior product manager for Google Cloud, says confidential computing is especially relevant to containerized applications that tend to be ephemeral. Running containerized workloads on instances of GKE that have Confidential Computing capabilities reduces the security challenges that stem from containers being constantly ripped and replaced, she says.
Porter notes right now it only makes economic sense for organizations to employ confidential computing to process their most sensitive data. However, there will come a time when a level of scale is achieved that it makes sense to make confidential computing available by default to all customers.
It’s too early to say when confidential computing may become pervasive. However, given the fact that more data than ever is being deemed sensitive, soon more organizations will shift more workloads toward processors that have this capability. After all, advanced hacking tools that enable cybercriminals to access data running in memory are accessible via the Dark Web. It might require a level of sophistication to employ those tools, but like everything else related to IT security, there are plenty of organizations willing to make that expertise available to anyone willing to pay for it.