Do you think IIT Guwahati certified course can help you in your career?
No
Introduction
A Confidential VM is a Compute Engine VM that ensures your data and apps remain secret and secured while in use. You may utilize a Confidential VM as part of your security strategy to prevent sensitive data or workloads from being exposed during processing.
You control access to your data regardless of whether it's on storage, in memory, or flight with ubiquitous data encryption. You may fully utilize GCP's computation and storage power.
In this article, let us understand the confidential computing and ubiquitous data encryption methods in GCP.
Confidential Computing concepts
Confidential Computing
Confidential Computing is the use of hardware-based Trusted Execution Environments to safeguard(TEE) data in use. TEEs are safe and isolated environments that protect programs and data from unwanted access or change while they are in operation. The Confidential Computing Consortium defines this security standard.
End-to-end encryption
End-to-end encryption is divided into three stages.
Encryption-at-rest: secures your data while it is being stored
Encryption-in-transit: secures your data while it travels between two points
Encryption-in-use: secures your data while it is being processed
Confidential Computing offers the final component of end-to-end encryption, encryption-in-use.
Confidential VM
A Confidential VM is a Compute Engine VM that ensures your data and apps remain secret and secured while in use. You may utilize a Confidential VM as part of your security strategy to prevent sensitive data or workloads from being exposed during processing.
Confidential VM runs on hosts equipped with AMD EPYC CPUs and AMD Secure Encrypted Virtualization (SEV). The following benefits and functionality are provided by incorporating SEV with Confidential VM.
Isolation: Encryption keys are created by the AMD Secure Processor (SP) during VM construction and only reside on the AMD System-On-Chip (SOC). Google cannot even access these keys, providing further isolation.
Attestation:Confidential VM employs Virtual Trusted Platform Module (vTPM) attestation. A launch attestation report event is created every time an AMD SEV-based Confidential VM starts.
High performance: AMD SEV provides strong performance for demanding computing operations. Enabling Confidential VM has little or no effect on most workloads, with just a 0-6 percent performance loss.
Enable Confidential VM
When you start a new VM, you may activate Confidential Computing. A Confidential VM may be created with just one more checkbox or 1-2 lines of code than a typical VM. You may keep utilizing the other tools and workflows you currently use. No modifications to your current apps are required to incorporate Confidential Computing.
Confidential VM is compatible with the following CPU systems.
AMD EPYC Rome
AMD EPYC Milan
Supported operating systems
Confidential VM is compatible with the following operating systems.
CentOS 8
Container-Optimized OS 85 LTS
Container-Optimized OS 89 LTS
Container-Optimized OS 93 LTS
Red Hat Enterprise Linux 8
SUSE Linux Enterprise Server 15 SP2 x86_64
SUSE Linux Enterprise Server 15 SP3 x86_64
Ubuntu 18.04 LTS
Ubuntu 20.04 LTS
Facilitate ubiquitous data encryption with the Split-Trust Encryption Tool
End-to-end encryption, according to Google, is intended to fulfill a simple vision: that customer data is verifiably secured from any non-customer allowed access as soon as it leaves the customer's data center and gets into Google Cloud.
Their objective is to create a secure key distribution method that enables safe key ingress and egress in/out of Google Cloud while being verifiably and cryptographically secure from Google Cloud insiders.
This feature applies to data that is sent to Cloud Storage and calculated using Compute Engine VMs. This section provides an overview of existing encryption solutions for Cloud Storage, Compute Engine, and external key managers.
Cloud Storage
You may utilize Cloud Storage to make data available to your cloud workloads after ingesting it into Google Cloud. You may transfer data from your on-premises computing environments to a Cloud Storage bucket, grant access to that bucket to your workload, and have the workload (or many workloads) consume that data as needed. This method avoids the difficulty of directly connecting to the task to deliver it the data it requires.
Cloud Storage constantly encrypts your data in transit and at rest. However, suppose you entrust Cloud Storage with the encryption. In that case, it must have access to the unencrypted data (plaintext) before encryption and the encryption keys required to generate the encrypted data (ciphertext). Depending on your threat model, it may be preferable to encrypt the data before sending it to Cloud Storage so that Cloud Storage never sees the plaintext.
Client-Side Encryption
Client-side encryption encrypts data before it is posted to Cloud Storage and decrypts it only after it has been downloaded into your workload. Cloud Storage, therefore, has access to the ciphertext but not the plaintext. Cloud Storage offers an additional layer of encryption before storing the data; however, the encryption conducted before uploading is the primary protection for the data.
With this method, you must now grant the task access to the encryption key required to decode the data. This is a potentially challenging process because the encryption key allows you to remove your first layer of encryption and obtain access to the data.
External Key Management
Using a specialized Key Management Service (KMS) that keeps the keys and manages access to them is a standard solution to this crucial management challenge. A request must be issued to the KMS for each encryption or decryption attempt. The KMS may allow access based on numerous criteria, ensuring that only appropriate parties can decode the data.
Before approving access to the encryption key, KMS systems might need various criteria, but they commonly demand a credential that satisfies a policy specified on the KMS. As a result, anyone possessing that credential can access the encryption key and decode the data.
Confidential Computing
Compute Engine VMs operate with their memory encrypted with Google Cloud's Confidential Virtual Machine (Confidential VM) service, giving extra security against accidental data access while in operation. Confidential VMs are more trustworthy than standard VMs for various threat models, allowing them to be utilized for sensitive tasks.
One thing to consider if your threat model relies on Confidential Computing is verifying that a task is operating in a Confidential VM. Remote Attestation is a method for the workload to show a remote party that it is truly operating in a Confidential VM and validate many other aspects of the workload's setup and environment. Because the platform generates the attestations, the workload cannot provide fake attestations that do not reflect its actual environment.
Before granting access to keys, a KMS might demand and assess these attestations. Even if the standard credentials are hacked, this criterion ensures that only the intended workload is permitted to decrypt the data.
The Split-Trust Encryption Tool (STET) allows for the encryption and decryption of data using keys maintained in a key management system (KMS) that requires attestations.
Split Trust
When just one KMS is used, that KMS has complete control over the encryption keys. If a KMS operator obtains the ciphertext of your encrypted data, they will have everything they need to decode it into plaintext. While this risk may be acceptable if an entirely trustworthy organization runs the KMS, some threat models necessitate the removal of unilateral control from the KMS.
You may share this trust between two KMS systems via STET, with neither KMS having adequate knowledge to decode your data. To decrypt your data, you would need the cooperation of both KMS operators (as well as access to the ciphertext).
Overall, STET helps ensure that the only organizations with access to your unencrypted data are the data's creator (for example, an on-premises system) and the data's consumer (for example, a workload running in a Confidential VM).
Frequently Asked Questions
What is ubiquitous data?
We might describe ubiquitous data as data that arise asynchronously and decentralized from various loosely connected, partially overlapping, and potentially contradictory sources.
What is a confidential VM service?
A Confidential VM is a Compute Engine VM that ensures your data and apps remain secret and secured while in use. You may utilize a Confidential VM as part of your security strategy to prevent sensitive data or workloads from being exposed during processing.
What does Google use for encryption?
Google employs the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. Except for a limited number of Persistent Disks manufactured before 2015, all data at the storage level is encrypted with AES256 by default.
Conclusion
In this article, we have extensively discussed some key points related to Confidential VM and confidential computing. Our discussion mainly focused on Confidential Computing concepts, Supported operating systems and machine types, and facilitating ubiquitous data encryption with the Split-Trust Encryption Tool.
We hope this blog has helped you enhance your Google cloud knowledge. To learn more about Google cloud concepts, refer to our articles on All about GCP Certifications: Google Cloud Platform | Coding Ninjas Blog.
Refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc.