Protect data in use with OCI Confidential Computing

February 2, 2023 | 3 minute read
Text Size 100%:

At Oracle, we’re constantly working to help our customers create a more robust security posture for their compute infrastructure. Oracle Cloud Infrastructure (OCI) encrypts customers’ data at rest in Object Storage and Block Storage services and in-transit with OCI Vault and OCI Certificates. Today, we’re excited to announce that customers can better protect data in use on OCI Compute instances with our Confidential Computing offering.

"The new OCI E3 and E4-based Confidential VMs, help to enable a higher assurance of data control as customers transition their workloads to the cloud while delivering the modern security features and impressive performance of AMD EPYC processors."

-Suresh Andani (Sr. Director, AMD Cloud Business Group)

What is Confidential Computing?

Confidential Computing protects data in use at the hardware level. Powered by AMD EPYC™ processors, Confidential Computing allows customers to enable confidential virtual machines (VMs) with the help of AMD Infinity Guard features, such as secure encrypted virtualization (SEV) and confidential bare metal servers with secure memory encryption (SME). These features take advantage of security components available in 2nd and 3rd Generation AMD EPYC processors available in all OCI’s E3 and E4 shapes.

With AMD SEV, AMD EPYC processors help to safeguard integrity and privacy by using a unique key per VM for encryption of memory to isolate guests from the hypervisor and one another. With SME, a single key is generated by the AMD Secure Processor at boot and used to encrypt the full system memory. The encryption keys are safeguarded at the hardware level by the secure processor, so that even Oracle doesn’t have access.

Confidential Computing has several benefits that organizations can consider as they decide whether to augment their security posture to include Confidential VMs or bare metal servers. By providing security through the lowest layers of hardware, Confidential Computing minimizes the list of trusted parties (OS, ecosystem partners, and administrators), thereby helping reduce the risk of data exposure. By providing a smaller attack surface and more security of data in use through a tightened hardware-based root of trust, it helps protect against some types of vulnerabilities such as insider threats and firmware compromises. In industries such as finance, healthcare, or other highly regulated industries, protecting data throughout its entire lifecycle is critical. Organizations can also use Confidential Computing to help meet and maintain regulatory compliance to regional and industry frameworks.

You can gain all these benefits through OCI’s Confidential Computing offering without application code changes and with minimal performance impact. Enabling Confidential Computing doesn’t incur any extra costs on top of Compute instance pricing.

Getting started

Access the Console, create an instance, navigate to the Security section, and click Edit.

A screenshot of the Create Compute Instance page.

Then toggle Confidential Computing on.

A screenshot of the Security section showing the Confidential Computing option turned on.

Choose a compatible image and shape by looking for the lock icons.

A screenshot of the Image and Shape page, showing the options for images.

Learn more about Confidential Computing

Confidential Computing is available in select cloud regions: US East (Ashburn), US West (Phoenix), UK Gov West (Newport), UK South (London), Germany Central (Frankfurt), and Switzerland North (Zurich). You need to build an instance with a compatible shape, supported OS, and select the feature while creating the instance. You cannot toggle this feature on for already built instances. We plan to enable this feature in more cloud regions in the future, so stay tuned for more updates.

Klaudia Warner

Previous Post

How to reach the maximum disk I/O throughput with Windows OS instances on OCI

Marco Santucci | 10 min read

Next Post

Best practices for Azure Synapse Analytics and Oracle Exadata Cloud service using Oracle Database Service for Azure

Niranjan Mohapatra | 5 min read