Confidential VMs are coming! Here’s why you shouldn’t miss out.
Protecting your data remains complex, especially in the cloud.
It’s true that it is difficult to protect against malicious acts from an infrastructure administrator when this person is a hyperscaler from whom you rent physical or virtual machines. Even if the disks are encrypted, the administrator can still analyze the data in the server’s RAM.
“Confidential computing” techniques help guard against this kind of threat by encrypting data in memory. Since 2015, Intel SGX (Software Guard Extensions) technology has enabled launching processes in an encrypted memory area. This digital enclave technology is now perfectly mature, but its implementation remains complex, as it requires adapting the code to benefit from it. In 2019, AMD offered a more advanced and flexible solution: AMD SEV (Secure Encrypted Virtualization). This technology allows for the direct launch of virtual machines (VMs) in encrypted memory spaces, greatly facilitating the deployment of protected environments. Intel also now offers a technology for deploying confidential VMs: Intel TDX (Trust Domain Extensions).
All companies are now advised to replace their conventional VMs with confidential VMs. The benefits are clear:
- They are available from most hyperscalers and major hosts at affordable rates (about 10% higher than conventional VMs).
- Everything deployed within a confidential VM is protected from the outset, with only a moderate impact on performance (around 5%).
- Confidential VMs allow cloud infrastructures to easily comply with data protection standards and legislation.
A secure technology…as long as the integrity of the environments can be guaranteed
Our approach involves providing turnkey Red Hat and Ubuntu environments, perfectly secured with an integrated standard verifiability tool that will calculate the hardware and software environment’s signature. This makes it possible to verify at any moment that the entire integrity has not been altered by recalculating the signature. The Cosmian Verifiable & Confidential Trusted Execution Environments are offered in two versions: Cosmian VM, to protect against alterations from infrastructure administrators, and Cosmian Enclave, to guard against threats from infrastructure and system administrators.
The Confidential VMs offer the possibility to run any application confidentially and verifiably, including your own Cosmian KMS. The Cosmian Verifiable & Confidential Trusted Execution Environments will be integrated into major hyperscalers marketplaces soon, including Google, Amazon, and Microsoft, each with whom we collaborate. This is an effective way for each of these giants to ensure the integrity of their encrypted virtual machines.
Start securing your data today
We’re with you every step of the way as your trusted partner in encryption.
Complete the form below to book a demo and one of our experts will be in touch.
Our latest news
Protect your data on Google Workspace
Protect your data stored on Google Workspace with Client-Side EncryptionBy Cosmian | November 29, 2024 |...
Secure your data in the SaaS with Client Side Encryption
Secure your data in the SaaS with Client Side EncryptionBy Cosmian | October 29, 2024 | Security,...
How to deploy applications securely in the public cloud?
How to deploy applications securely in the public cloud? By Cosmian | October 16, 2024 | Security,...