Confidential VMs on Intel CPUs: Your new intelligent defense
Joanna Young
Product Manager, Confidential Computing
Sam Lugani
Product Lead, Confidential Computing & Confidential AI
Editor’s note: As of March 2024, Confidential VMs with Intel TDX are now available in public preview on general purpose C3 machines.
For organizations who want to bring and process their most sensitive compute workloads in the cloud without any code changes, we offer Confidential virtual machines (VMs) that leverage the latest hardware-based security technology.
Through our partnership with Intel, we are extending our Confidential VMs on the new C3 machines series that uses 4th Gen Intel Xeon Scalable CPUs and leverages Intel Trust Domain Extensions (Intel TDX) technology. Available now in private preview, these next-generation Confidential VMs expand Google’s Confidential Computing product portfolio to include different hardware vendors, giving customers more choice when it comes to cryptographically isolating their workloads from other VMs — and even the cloud provider itself.
“Our goal with Confidential Computing is to help organizations unlock the full value of their data assets, even if that data is sensitive or regulated,” said Anil Rao, VP & GM of Systems Architecture & Engineering at Intel. “Google Cloud’s latest C3 machine series with Intel TDX deliver the security and performance customers require for advanced analytics and AI solutions, while protecting their data, and enhancing their privacy and compliance.”
How Confidential Computing can help secure data
Confidential Computing is the protection of data in-use through hardware-based technologies. Confidential VMs are a type of Compute Engine VM that uses confidential computing to ensure data and applications stay private and encrypted even while in use. Customers can use Confidential VMs as part of their security strategy, so they do not expose their data or workloads during processing, all without any code changes to their applications. Customers are used to encrypting data at rest and data in transit to help maintain confidentiality and integrity, and confidential computing enables customers to encrypt data during runtime, providing additional protection.
Making Confidential VMs available on our latest general-purpose C3 machine series allows customers to seamlessly secure their workloads while enjoying the enterprise-grade performance and reliability of the 4th Gen Intel Xeon scalable processor. The C3 machine series offers industry-leading price-performance and is suitable for a variety of workloads including CPU-based AI and ML training and inference, high traffic web, app, ad servers, databases and data analytics.
Canonical, which develops Ubuntu, has been a longtime partner with Google Cloud on our Confidential Computing solutions. Canonical offers comprehensive support for Intel TDX within the Linux stack on Google Cloud, spanning from the kernel to firmware and accompanying tools.
“Intel TDX represents a cutting-edge security feature designed to fortify sensitive workloads against a spectrum of potential threats,” said Hugo Huang, public cloud alliance director, Canonical. “In close collaboration with Google and Intel, the Canonical team ensures that Ubuntu delivers optimized support for the creation and management of virtual machines leveraging Intel TDX. This support empowers users to safeguard their data and applications against unauthorized access and tampering. Beyond the bolstered security, our Google users stand to benefit from enhanced performance and simplified operational intricacies.”
The C3 machine series uses Intel TDX as their confidential computing technology. Intel TDX aims to isolate VMs from the host and hypervisor and protect VMs against a broad range of software and hardware attacks. Each VM is hardware-isolated into a “Trust Domain” (TD), which helps strengthen customers’ control of their data and IP. A key feature of Intel TDX is remote attestation, which gives customers the ability to verify their VM is running with memory and CPU state confidentiality and integrity in a hardened environment.
At Google, we will continue to invest in privacy preserving technologies like confidential computing to ensure that the new security innovations are secure, easy to use, and easy to adopt. Earlier this year, Google’s Project Zero partnered with Intel to perform a full security audit of Intel TDX. The audit identified a handful of improvements which Intel implemented before introducing the 4th Gen Xeon Scalable processor. Launching our first Intel-based confidential computing offering is just one of many milestones we’ll reach to deliver the industry’s most Trusted Cloud.
Get started with Confidential VMs with Intel TDX
Sign up for the private preview of Intel TDX on Confidential VMs today at this sign-up form and view the announcement at this year’s Google Cloud Next.