How to protect your data in the public cloud?
| by Sandrine | June 17, 2024 | Security, Cloud
When you deploy virtual machines on public cloud infrastructures, there will be at least one actor capable of capturing the data: the cloud infrastructure operator, also known as a hyperscaler.
Regardless of whether the data on the storage units is encrypted and the encryption keys controlled by your own KMS (Key Management System), the cloud operator will be able to see the data in clear text in RAM as it is processed by the server processor.
Confidential computing techniques can solve this thorny problem. The idea here is to exploit certain features present in the latest processors – in this case AMD SEV (Secure Encrypted Virtualization) and Intel TDX (Trust Domain Extension) – to run virtual machines in encrypted RAM spaces. These confidential virtual machines can host any OS compatible with traditional VMs. They are therefore particularly easy to implement.
An offer that is becoming clearer… among the major hyperscalers
To date, all three major American hyperscalers offer, or are in the process of offering, confidential virtual machines to their customers:
- Microsoft references confidential VMs running AMD SEV. Availability is effective, but on request. VMs based on Intel TDX are in preview.
- Amazon only offers confidential VMs based on AMD SEV. They are in general availability. Intel’s offer is not included in the catalog.
- Google is in public preview on AMD solutions and in private preview on Intel solutions. These two solutions could go into general availability over the summer.
Note that the price of confidential VMs is around 10% higher than that of classic VMs, with performance down by around 5%. Both of these factors are largely acceptable when considering the benefits they bring in terms of environment confidentiality.
Closer to home, OVH does not currently offer confidential virtual machines. Sovereign cloud NumSpot, which has SecNumCloud certification, is planning to deploy Intel TDX technology to offer confidential VMs to its customers.
Beware of environment verifiability
Considering migrating your sensitive data and applications to a cloud provider but worried about security risks? Look no further than Cosmian vm, the only plug-and-play VM that guarantees the integrity and security of your environment, free from complexities. Contact us.
Our latest news
Protect your data on Google Workspace
Protect your data stored on Google Workspace with Client-Side EncryptionBy Cosmian | November 29, 2024 |...
Secure your data in the SaaS with Client Side Encryption
Secure your data in the SaaS with Client Side EncryptionBy Cosmian | October 29, 2024 | Security,...
How to deploy applications securely in the public cloud?
How to deploy applications securely in the public cloud? By Cosmian | October 16, 2024 | Security,...