At Oracle, we’re constantly working to help our customers create a more robust security posture for their compute infrastructure. Oracle Cloud Infrastructure (OCI) encrypts customers’ data at rest in Object Storage and Block Storage services and in-transit with OCI Vault and OCI Certificates. Today, we’re excited to announce that customers can better protect data in use on OCI Compute instances with our Confidential Computing offering.
"The new OCI E3 and E4-based Confidential VMs, help to enable a higher assurance of data control as customers transition their workloads to the cloud while delivering the modern security features and impressive performance of AMD EPYC processors."
-Suresh Andani (Sr. Director, AMD Cloud Business Group)
Confidential Computing protects data in use at the hardware level. Powered by AMD EPYC™ processors, Confidential Computing allows customers to enable confidential virtual machines (VMs) with the help of AMD Infinity Guard features, such as secure encrypted virtualization (SEV) and confidential bare metal servers with secure memory encryption (SME). These features take advantage of security components available in 2nd and 3rd Generation AMD EPYC processors available in all OCI’s E3 and E4 shapes.
With AMD SEV, AMD EPYC processors help to safeguard integrity and privacy by using a unique key per VM for encryption of memory to isolate guests from the hypervisor and one another. With SME, a single key is generated by the AMD Secure Processor at boot and used to encrypt the full system memory. The encryption keys are safeguarded at the hardware level by the secure processor, so that even Oracle doesn’t have access.
Confidential Computing has several benefits that organizations can consider as they decide whether to augment their security posture to include Confidential VMs or bare metal servers. By providing security through the lowest layers of hardware, Confidential Computing minimizes the list of trusted parties (OS, ecosystem partners, and administrators), thereby helping reduce the risk of data exposure. By providing a smaller attack surface and more security of data in use through a tightened hardware-based root of trust, it helps protect against some types of vulnerabilities such as insider threats and firmware compromises. In industries such as finance, healthcare, or other highly regulated industries, protecting data throughout its entire lifecycle is critical. Organizations can also use Confidential Computing to help meet and maintain regulatory compliance to regional and industry frameworks.
You can gain all these benefits through OCI’s Confidential Computing offering without application code changes and with minimal performance impact. Enabling Confidential Computing doesn’t incur any extra costs on top of Compute instance pricing.
Access the Console, create an instance, navigate to the Security section, and click Edit.
Then toggle Confidential Computing on.
Choose a compatible image and shape by looking for the lock icons.
Confidential Computing is available in select cloud regions: US East (Ashburn), US West (Phoenix), UK Gov West (Newport), UK South (London), Germany Central (Frankfurt), and Switzerland North (Zurich). You need to build an instance with a compatible shape, supported OS, and select the feature while creating the instance. You cannot toggle this feature on for already built instances. We plan to enable this feature in more cloud regions in the future, so stay tuned for more updates.