Google Brings Confidential Computing to GKE Service

Google announced today that it is making available confidential computing nodes that encrypt data while it is processing in beta on the managed Google Kubernetes Engine (GKE) service.

At the same time, Google revealed that a previously announced Confidential VMs service is now generally available. As part of that effort, the company is also making available auditing and policy control tools for Confidential VMs alongside tools to restrict access and share secrets between Confidential VM instances.

Confidential computing takes encryption beyond securing data at rest or in transit. Prior to the arrival of confidential computing, all data running in memory was accessible as clear text. Both AMD and Intel last year unveiled processor families that enabled data to be encrypted while running in memory.

That approach protects data from sophisticated attacks that might be launched by, for example, nation-states using infamous hacking tools such as the one the U.S. National Security Agency (NSA) lost control over; however, it also means IT personnel can no longer potentially see that data either. That can mitigate concerns about who is seeing what data, because of laws such as the Patriot Act in the U.S. Once a task is completed, data can be encrypted both in transit and at rest within a local data center as required. That’s critical for cloud service providers that need to be able to migrate workloads across a global network of data centers to maximize efficiency.

Confidential GKE Nodes are available in the 1.18 release of GKE, which can be configured to only deploy node pools with Confidential VM capabilities in a Kubernetes cluster. Those clusters will automatically enforce the use of Confidential VMs for all worker nodes using AMD EPYC processors that include an AMD Secure Encrypted Virtualization capability.

Nelly Porter, senior product manager for Google Cloud, says confidential computing is especially relevant to containerized applications that tend to be ephemeral. Running containerized workloads on instances of GKE that have Confidential Computing capabilities reduces the security challenges that stem from containers being constantly ripped and replaced, she says.

Porter notes right now it only makes economic sense for organizations to employ confidential computing to process their most sensitive data. However, there will come a time when a level of scale is achieved that it makes sense to make confidential computing available by default to all customers.

It’s too early to say when confidential computing may become pervasive. However, given the fact that more data than ever is being deemed sensitive, soon more organizations will shift more workloads toward processors that have this capability. After all, advanced hacking tools that enable cybercriminals to access data running in memory are accessible via the Dark Web. It might require a level of sophistication to employ those tools, but like everything else related to IT security, there are plenty of organizations willing to make that expertise available to anyone willing to pay for it.

Mike Vizard

Mike Vizard is a veteran IT journalist with more than 25 years of experience covering the technology industry, having previously served as Editor-in-Chief of both CRN and InfoWorld and as editorial director for Ziff-Davis Enterprise, where he oversaw titles including eWEEK, CIO Insight and Baseline. Over his career he has also edited or contributed to a wide range of enterprise technology publications, including IT Business Edge, Channel Insider, ComputerWorld, TMCNet and Digital Review, and he later led editorial for CTOEdge.com. His reporting and analysis span software development, cloud computing, cybersecurity, IT channel strategy and, more recently, artificial intelligence and DevOps practices. A recognized voice in enterprise IT journalism, Vizard is known for tracking emerging technology trends as they move from early adoption into mainstream enterprise use. He now serves as Chief Content Officer for Techstrong Group, where he oversees editorial strategy across the full network — DevOps.com, Security Boulevard, Cloud Native Now, Digital CxO, Techstrong.ai, TechStrong.IT, Techstrong Semi and PlatformEngineering.com — in addition to writing and hosting content for Techstrong TV and the Techstrong Gang podcast.

    Mike Vizard has 1813 posts and counting. See all posts by Mike Vizard