Confidential VMs

Ever since we started to offload workloads to hardware that we didn’t physically control, there have been security concerns. I remember when this started with application service providers and web workloads. This has continued to be an issue as more and more types of workloads have moved to cloud vendors and other hosting providers.

Google is trying to ameliorate some of the concerns by offering customers confidential VMs. These are special types of VMs, using encryption and hardware capabilities to protect the workloads from any unauthorized access. I don’t know to what extent this practically protects a workload compared to a non-confidential VM, as the details are a bit confusing. I’m sure there is some extra protection, but the weak point in most cases here is still likely the humans that use credentials to access the VM. I’d suspect a determined attacker would try to hack the sysadmin and their laptop rather than the VM itself.

In any case, Google is trying to ensure the added encryption doesn’t cause any workload degradation. Hardware can likely help her, but I’m not sure that you can perform encryption and decryption without using more resources. There might be minimal impact, but there has to be some resource impact. At least compared to a non-confidential VM.

I’m glad there is research and work still happening to find ways to improve security for systems that we might no longer control. I think that’s increasingly the trend. Whether you go with a cloud vendor like AWS, Azure, GCP, etc., or you look to host with a Rackspace like provider, more and more of our infrastructure is being outsourced, and I don’t know that the trend will reverse itself anytime soon. Even if it does, the more we can provide security hurdles against unauthorized access, the better.

Steve Jones
Listen to the podcast at Libsyn, Stitcher or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged , , , . Bookmark the permalink.