Google LLC is sharing more information about a new security feature for its cloud platform it announced during last month’s Cloud Next cloud conference.

Google provided scant details when it launched “Shielded VMs” in beta test, other than to say it was a suite of security tools and techniques to ensure that when virtual machines boot up, they’ll be running code that hasn’t been compromised.

In a blog post today, Google Cloud product managers Nelly Porter and Sergey Simakov explained that “trust” is a critical prerequisite for any company looking to move to the public cloud, and Shielded VMs are meant to provide that trust.

“When evaluating a cloud provider, you want to know that it helps keep your information safe, helps protect you from bad actors, and that you’re in control of your workloads,” Porter and Simakov wrote.

They explained that trust begins at the hardware and firmware level, and with host and guest operating systems. This is important because the Basic Input/Output System, or BIOS, that’s used to perform hardware initialization during the booting process can easily be compromised by malware or “firmware rootkits,” leaving the operating system vulnerable to attackers.

“A guest OS can be dynamically compromised by attacking its kernel components via remote attack, by local code gaining escalation privileges, or by insiders (e.g., your privileged employees),” the Googlers wrote.

Shielded VMs provide a number of features meant to protect against this kind of attack. First, they swap out legacy BIOS sub-systems with more trusted firmware based on the Unified Extended Firmware Interface, which comes with Secure Boot capabilities.

Shielded VMs also rely on something called a virtual Trusted Platform Module, which is able to secure virtual machines by generating cryptographic security keys that add another layer of protection. The TPM also helps validate VMs before they boot up.

“The TPM’s root keys and the keys that it generates can’t leave the TPM, thus gaining protection from compromised operating systems or highly privileged project admins,” Porter and Simakov said.

The clarity from Google is encouraging because security is critical to ensuring that executives have the confidence to move their information technology workloads to public cloud infrastructure, said Holger Mueller, vice president and principal analyst at Constellation Research Inc.

“Google is no exception, and it’s working itself up the stack,” Mueller said. “After unveiling the Titan chip and BIOS monitoring, it’s time to ensure the safety and integrity of the VMs. That’s a key step, as the whole stack needs to be protected against all possible intrusion and malware attacks, so it’s good to see more progress.”

Those interested in Google’s Shielded VMs capabilities can try them out for free while the service remains in beta.

Image: Google