Google LLC today announced a new tier of “Confidential” virtual machines for cloud users that ensure their data remains encrypted while it’s being used.

The new Confidential VMs, detailed at the Google Cloud Next OnAir online conference that runs nine weeks through Sept. 8, are available now in beta test mode.

They’re the first product in Google’s new Confidential Computing portfolio of services. Confidential Computing is a new technology that keeps data encrypted as it’s being processed in memory, without exposing it to other parts of the computer system.

Google Cloud already encrypts data at rest and data in transit, but previously that information has always had to be decrypted while it’s actually being processed, something that’s often seen as a glaring weakness in the data encryption landscape.

“We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multitenant architecture secure,” lead product manager Nelly Porter, engineering director Gilad Golan and lead security product marketing manager Sam Lugani wrote in a blog post. “Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud.”

The technology behind Google’s Confidential VMs is based in part on its work with the Confidential Computing Consortium, which is an industry group that’s trying to promote the concept of “Trusted Execution Environments.” TEEs are a secure area of a computer chip that encrypts the data and code loaded inside it, meaning that other parts of the processor cannot access this information.

Google said its Confidential VMs run on N2D series virtual machines that are powered by Advanced Micro Devices Inc.’s 2nd Gen EPYC processors, which feature Secure Encrypted Virtualization technology that can isolate VMs from the hypervisor software that runs them.

“Using the AMD SEV feature, Confidential VMs offer high performance for the most demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor,” Porter, Golan and Lugani explained. “These keys are generated by the AMD Secure Processor during VM creation and reside solely within it, making them unavailable to Google or to any VMs running on the host.”

Google said it worked closely with AMD’s Cloud Solution engineering team to ensure that the new VM’s memory encryption features don’t have any negative impact on workload performance. To ensure this, Google added support for new OSS drivers that handle storage and network traffic with a much higher throughput than older protocols, ensuring that the Confidential VMs offer a performance that’s almost at the same level of its regular virtual machines.

“For the new Google Compute Engine Confidential VMs in the N2D series, we worked with Google to help customers both secure their data and achieve performance of their workloads,” said Raghu Nambiar, AMD’s Data Center Ecosystem corporate vice president.

Google said its Confidential VMs ensure data remains encrypted no matter if it’s being used for analytics workloads, queries or training artificial intelligence models. It will also enable new computing scenarios that previously haven’t been possible, the company said. The bottom line, Google added is that organizations can now share confidential data sets and collaborate on research in the cloud while preserving confidentiality.

The new VMs can help to satisfy the needs of any company that’s working with sensitive data, but Google said they should be especially interesting for customers that work in regulated industries, such as finance.

“At J.P. Morgan Chase protecting data is one of our highest priorities,” said Morgan Akers, a director at JP Morgan Chase & Co. “Confidential Computing is an emerging technology that we are excited to explore as part of our data protection strategy.”

Image: Google