A few months after upgrading its general-purpose (N2D) and compute-optimized (C2D) virtual machines to adopt the latest AMD EPYC technology, Google is now making confidential computing available in preview on those machine types.
Launched almost two years ago, confidential computing is Google moniker for privacy and security oriented Cloud VMs that not only grant data is encrypted while in transit and at rest, but also while in memory:
Confidential Computing products from Google Cloud protect data in use by performing computation in a hardware isolated environment that is encrypted with keys managed by the processor and unavailable to the operator.
To this aim, Google confidential computing leverages AMD Secure Encrypted Virtualization (SEV) and other security technologies available on AMD EPYC processors to ensure the guests and the hypervisor running on the same virtual machine are isolated. The advantage of confidential computing compared to other techniques to ensure data is cryptographycally secure in memory is it provides an easy way to run native x86 applications in a trusted execution environment provided the guest runs an operating system designed for this use case.
Until now, Google confidential computing was only available on machines equipped with 2nd generation AMD EPYC processors and not on more recent machines using 3rd generation EPYC processors, thus creating a gap for customers requiring maximum privacy on the latest available hardware.
According to Google, N2D machines using 3rd generation EPYC processors provided an average 30% price-performance improvement over 2nd generation processors. Google has not released specific performance figures for confidential computing machines, but they say they have worked closely with AMD to make sure that memory encryption does not interfere with workload performance.
As mentioned, Google is offering confidential computing as a preview on N2D and C2D machine types. N2D are general-purpose machines enabling up to 224 vCPUs and 8 GB of memory per vCPU, while C2D are compute-optimized machines that maximize performance per core and provide up to 112 vCPUs with 4 GB of memory per vCPU.
AMD EPYC processors do not only power Google's products aimed to guarantee data privacy through cryptography, but also Azure's, AWS' and others.
On a related note, Google Project Zero has recently disclosed a number of security issues affecting AMD EPYC processors SEV, which have been promptly fixed by AMD.