Confidential VMs are coming! Here’s why you shouldn’t miss out.

by Sandrine | Feb 6, 2024 | Cryptography, Engineering, Security

Protecting your data remains complex, especially in the cloud.

It’s true that it is difficult to protect against malicious acts from an infrastructure administrator when this person is a hyperscaler from whom you rent physical or virtual machines. Even if the disks are encrypted, the administrator can still analyze the data in the server’s RAM.

“Confidential computing” techniques help guard against this kind of threat by encrypting data in memory. Since 2015, Intel SGX (Software Guard Extensions) technology has enabled launching processes in an encrypted memory area. This digital enclave technology is now perfectly mature, but its implementation remains complex, as it requires adapting the code to benefit from it. In 2019, AMD offered a more advanced and flexible solution: AMD SEV (Secure Encrypted Virtualization). This technology allows for the direct launch of virtual machines (VMs) in encrypted memory spaces, greatly facilitating the deployment of protected environments. Intel also now offers a technology for deploying confidential VMs: Intel TDX (Trust Domain Extensions).

All companies are now advised to replace their conventional VMs with confidential VMs. The benefits are clear:

  • They are available from most hyperscalers and major hosts at affordable rates (about 10% higher than conventional VMs).
  • Everything deployed within a confidential VM is protected from the outset, with only a moderate impact on performance (around 5%).
  • Confidential VMs allow cloud infrastructures to easily comply with data protection standards and legislation.

A secure technology…as long as the integrity of the environments can be guaranteed

Several vulnerabilities have been found in AMD SEV and Intel TDX solutions. However, these technologies are rapidly maturing and are becoming increasingly reliable and robust. Nonetheless, a malicious infrastructure administrator could bypass them by modifying the hardware or software stack. This is why it is imperative to add a verifiability solution to confidential VMs. This will ensure that neither the hardware environment nor the software layers have been altered, from the firmware to the operating system.

Our approach involves providing turnkey Red Hat and Ubuntu environments, perfectly secured with an integrated standard verifiability tool that will calculate the hardware and software environment’s signature. This makes it possible to verify at any moment that the entire integrity has not been altered by recalculating the signature. The Cosmian Verifiable & Confidential Trusted Execution Environments are offered in two versions: Cosmian VM, to protect against alterations from infrastructure administrators, and Cosmian Enclave, to guard against threats from infrastructure and system administrators.

The Confidential VMs offer the possibility to run any application confidentially and verifiably, including your own Cosmian KMS. The Cosmian Verifiable & Confidential Trusted Execution Environments will be integrated into major hyperscalers marketplaces soon, including Google, Amazon, and Microsoft, each with whom we collaborate. This is an effective way for each of these giants to ensure the integrity of their encrypted virtual machines.

Start securing your data today

We’re with you every step of the way as your trusted partner in encryption. 

Complete the form below to book a demo and one of our experts will be in touch.

Our latest news

— There are no limits

Find us on
the Marketplaces

Regain control now on your data and applications in the cloud, subscribe to our cloud marketplaces offering on AWS, Azure and Google Cloud.

Cosmian makes no tracking for advertising and does not collect any personal data. Cookies are used for statistical or operational purposes, as well as for analysis, allowing for continuous improvement of the website. Cosmian uses the Matomo Analytics tool, an audience measurement solution that uses cookies with a configuration that complies with the data protection legislation and the recommendations of the CNIL (Commission Nationale de l'Informatique et des Libertés). This configuration allows to anonymise visitor's data and to limit the storage period of this data to a maximum of 13 months. With this configuration, the prior consent to the deposit of Matomo Analytics cookies is not required. However, you can still choose not to allow these cookies by clicking below or at any time by consulting our Privacy Policy.

You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.