When you deploy virtual machines on public cloud infrastructures, there will be at least one actor capable of capturing the data: the cloud infrastructure operator, also known as a hyperscaler.

Regardless of whether the data on the storage units is encrypted and the encryption keys controlled by your own KMS (Key Management System), the cloud operator will be able to see the data in clear text in RAM as it is processed by the server processor.

Confidential computing techniques can solve this thorny problem. The idea here is to exploit certain features present in the latest processors – in this case AMD SEV (Secure Encrypted Virtualization) and Intel TDX (Trust Domain Extension) – to run virtual machines in encrypted RAM spaces. These confidential virtual machines can host any OS compatible with traditional VMs. They are therefore particularly easy to implement.

An offer that is becoming clearer… among the major hyperscalers

To date, all three major American hyperscalers offer, or are in the process of offering, confidential virtual machines to their customers:

• Microsoft references confidential VMs running AMD SEV. Availability is effective, but on request. VMs based on Intel TDX are in preview.

   

• Amazon only offers confidential VMs based on AMD SEV. They are in general availability. Intel’s offer is not included in the catalog.

   

• Google is in public preview on AMD solutions and in private preview on Intel solutions. These two solutions could go into general availability over the summer.

Note that the price of confidential VMs is around 10% higher than that of classic VMs, with performance down by around 5%. Both of these factors are largely acceptable when considering the benefits they bring in terms of environment confidentiality.

Closer to home, OVH does not currently offer confidential virtual machines. Sovereign cloud NumSpot, which has SecNumCloud certification, is planning to deploy Intel TDX technology to offer confidential VMs to its customers.

Beware of environment verifiability

And don’t forget that this technique only protects you from the infrastructure operator, and not from the mischief that could come from a careless system administrator. Other techniques, such as the use of SGX enclaves, should be considered for protection against this type of threat.

Considering migrating your sensitive data and applications to a cloud provider but worried about security risks? Look no further than Cosmian vm, the only plug-and-play VM that guarantees the integrity and security of your environment, free from complexities. Contact us.