How to protect your data in the public cloud?

| by Sandrine | June 17, 2024 | Security, Cloud

When you deploy virtual machines on public cloud infrastructures, there will be at least one actor capable of capturing the data: the cloud infrastructure operator, also known as a hyperscaler.

Regardless of whether the data on the storage units is encrypted and the encryption keys controlled by your own KMS (Key Management System), the cloud operator will be able to see the data in clear text in RAM as it is processed by the server processor.

Confidential computing techniques can solve this thorny problem. The idea here is to exploit certain features present in the latest processors – in this case AMD SEV (Secure Encrypted Virtualization) and Intel TDX (Trust Domain Extension) – to run virtual machines in encrypted RAM spaces. These confidential virtual machines can host any OS compatible with traditional VMs. They are therefore particularly easy to implement.

An offer that is becoming clearer… among the major hyperscalers

To date, all three major American hyperscalers offer, or are in the process of offering, confidential virtual machines to their customers:

  • Microsoft references confidential VMs running AMD SEV. Availability is effective, but on request. VMs based on Intel TDX are in preview.

     

  • Amazon only offers confidential VMs based on AMD SEV. They are in general availability. Intel’s offer is not included in the catalog.

     

  • Google is in public preview on AMD solutions and in private preview on Intel solutions. These two solutions could go into general availability over the summer.

Note that the price of confidential VMs is around 10% higher than that of classic VMs, with performance down by around 5%. Both of these factors are largely acceptable when considering the benefits they bring in terms of environment confidentiality.

Closer to home, OVH does not currently offer confidential virtual machines. Sovereign cloud NumSpot, which has SecNumCloud certification, is planning to deploy Intel TDX technology to offer confidential VMs to its customers.

Beware of environment verifiability

Deploying confidential virtual machines is pointless unless you can ensure that the server environment has not been modified by the cloud operator. A verifiability solution, such as the one integrated into Cosmian VMs, will ensure the integrity of the system, in terms of both hardware and software (from server firmware to the application components of your virtual machine).

And don’t forget that this technique only protects you from the infrastructure operator, and not from the mischief that could come from a careless system administrator. Other techniques, such as the use of SGX enclaves, should be considered for protection against this type of threat.

Considering migrating your sensitive data and applications to a cloud provider but worried about security risks? Look no further than Cosmian vm, the only plug-and-play VM that guarantees the integrity and security of your environment, free from complexities. Contact us.

Our latest news

— There are no limits

Find us on
the Marketplaces

Regain control now on your data and applications in the cloud, subscribe to our cloud marketplaces offering on AWS, Azure and Google Cloud.

Cosmian makes no tracking for advertising and does not collect any personal data. Cookies are used for statistical or operational purposes, as well as for analysis, allowing for continuous improvement of the website. Cosmian uses the Matomo Analytics tool, an audience measurement solution that uses cookies with a configuration that complies with the data protection legislation and the recommendations of the CNIL (Commission Nationale de l'Informatique et des Libertés). This configuration allows to anonymise visitor's data and to limit the storage period of this data to a maximum of 13 months. With this configuration, the prior consent to the deposit of Matomo Analytics cookies is not required. However, you can still choose not to allow these cookies by clicking below or at any time by consulting our Privacy Policy. [matomo_opt_out language=en]