UPDATED 08:00 EDT / SEPTEMBER 08 2020

CLOUD

Google expands Confidential Computing to Kubernetes workloads

Google LLC said today during its Cloud Next OnAir event wrapping up this week that it’s expanding its new Confidential Computing portfolio with the launch of a new service.

Confidential GKE Nodes adds more privacy to workloads running on Kubernetes. Google launched the first product in its Confidential Computing portfolio, called Confidential VMs, in July, and said today that those virtual machines are now generally available.

Confidential Computing is a new initiative that involves keeping data encrypted as it’s being processed. It’s the final piece of the puzzle in data encryption, since cloud providers already encrypt data at rest and data in transit. But up until recently, it has always been necessary to decrypt that information in order to process it, and many experts see that as a glaring hole in the data encryption landscape.

Google’s Confidential Computing initiative is based on its work with the Confidential Computing Consortium, which is an industry group that’s trying to promote the concept of “Trusted Execution Environments.” TEEs are a secure area of a computer chip that encrypts the data and code loaded inside it, meaning that other parts of the processor cannot access this information.

Google’s Confidential VMs run on N2D series virtual machines that are powered by Advanced Micro Devices Inc.’s 2nd Gen EPYC processors, which feature Secure Encrypted Virtualization technology that can isolate virtual machines from the hypervisor software that runs them. They ensure data remains encrypted no matter if it’s being used for analytics workloads, queries or training artificial intelligence models. They’re designed to help to satisfy the needs of any company that’s working with sensitive data, but especially those that work in regulated industries, such as finance.

Perhaps the more important announcement is the coming beta test availability of Confidential GKE Nodes, which Google said will debut in its forthcoming Google Kubernetes Engine 1.18 release. GKE is a managed, production-ready environment for running software containers, which host the components of modern applications that can run in multiple computing environments. Kubernetes is an open-source orchestration tool used to manage those containers.

The addition of Confidential GKE Nodes enables more privacy when running GKE clusters, Google Cloud engineers Sunil Potti and Eyal Manor wrote in a blog post announcing the new feature.

“As we looked at building our Confidential Computing portfolio, we wanted to deliver a new level of confidentiality and portability for containerized workloads,” they wrote. “Google Cloud Confidential GKE Nodes are built on the same technology foundation as Confidential VMs, and allow you to keep data encrypted in memory with a node-specific dedicated key that’s generated and managed by the AMD EPYC processor.”

With Confidential GKE Nodes, customers will be able to configure GKE clusters so they can only deploy node pools that run on Confidential VMs. In other words, any workloads running on those nodes will be encrypted while the data is being processed.

“GKE Confidential Nodes will use hardware memory encryption powered by the AMD Secure Encrypted Virtualization feature used by AMD EPYC processors, which means that your workloads running on the confidential nodes will be encrypted in-use,” Potti and Manor said.

Constellation Research Inc. analyst Holger Mueller said many enterprises demand even greater privacy when using public cloud services than they do for on-premises workloads, in order to protect themselves from bad actors.

“Google Cloud is upping the game by expanding its Confidential Computing portfolio, giving users the option to make GKE clusters confidential,” Mueller said. “Given the popularity of Kubernetes, this looks to be a key step forward for the industry and gives enterprises more choices to to make the next-generation applications safely in the public cloud.”

Meanwhile, Google said its Confidential VMs are gaining some new capabilities as they become generally available today. For example, audit reports on Confidential VMs now come with detailed logs on the integrity of the AMD Secure Processor Firmware that’s used to generate keys for each instance.

There are also more policy controls to define specific access privileges, and Google is adding the ability to disable any nonconfidential VMs that might be running in a specific project. Google is also integrating Confidential VMs with other enforcement mechanisms to improve security.

“You can use a combination of Shared VPCs, organization policy constraints, and firewall rules to ensure Confidential VMs can only interact with other Confidential VMs, even when these VMs live inside different projects,” Potti and Manor explained. “Furthermore, you can use VPC Service Controls to define a perimeter of GCP resources for your Confidential VMs.”

Image: Google

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU