Anjuna Announces Support for Google Cloud Confidential Computing powered by AMD SEV

Ofir Azoulay-Rozanes
Director of Product Management
Published on
Sep 19, 2023
We are excited to announce the general availability of Anjuna’s support for Google Cloud Confidential Computing, powered by AMD SEV technology.
https://www.anjuna.io/blog/anjuna-announces-support-for-google-cloud-confidential-computing-powered-by-amd-sev

We are happy to announce general availability of Anjuna Confidential Computing Platform support for Google Cloud Confidential Computing powered by AMD Secure Encrypted Virtualization (SEV). In July 2020, Google Cloud for Confidential Computing was announced, leveraging AMD SEV. This introduced the ability to run VMs in a Confidential Computing infrastructure protecting the VM's data in use, and we are thrilled to bring the added robustness and simplicity of the Anjuna Platform to Google Cloud users.

Additionally, In April 2023, Google Cloud announced the private preview for AMD SEV-SNP — an offering we're thrilled to support.

Anjuna streamlines the implementation and management of Confidential Computing infrastructure at scale, empowering customers to attain comprehensive security and heightened data privacy with top effectiveness. By integrating Anjuna with Google Cloud Confidential Computing, our mutual clients can optimize operational efficiency while elevating their security posture. Why? Because our integration minimizes trust boundaries within the Confidential Computing environment down to the core element – the application.

Google Cloud Confidential VMs Powered By AMD SEV

Google Cloud Confidential VMs based on AMD SEV enable effortless migration of enterprise applications without requiring any code changes. Confidential VMs protect applications and data against threats that may exist outside the construct of the virtual machine, such as Host OS, hypervisor or even BIOS and firmware.

Currently, Google Cloud Confidential Computing services are widely available and growing across most Google Cloud regions (see https://cloud.google.com/compute/docs/regions-zones. Filter by "N2D, C2D" to see the AMD-SEV VMs).

The additional security is provided without sacrificing performance. Tests have shown that the performance effect of running workloads in the AMD-SEV technology has a negligible effect on performance.

You can find the following performance tests:

  • N2D - look for tests on Confidential VMs.
  • C2D

Our integration with Google Cloud is designed to maintain the advantages of simplicity and performance for customers, while enabling them to execute applications within Confidential Containers that provide an elevated level of isolation. With this objective, let's delve into the details of the Anjuna integration, explore the ways we enhance security and trust, and uncover the associated benefits.

How Anjuna Supports AMD SEV on Google Cloud

Anjuna simplifies the journey to a fully secured container within Google Cloud’s AMD-based Confidential Computing, streamlining the process into two simple steps:

  1. Build Phase: Anjuna automates container deployment within a readily operational Google Cloud Confidential VM. In this phase, we address two critical components that standard setups overlook:
    1. We package the application within a fortified Anjuna Confidential Container. Our approach ensures robust isolation, with each VM hosting a single Anjuna Confidential Container.
    2. We capture precise measurements from the Confidential VM. Our single-container-per-VM setup provides accurate and application-specific measurements, bolstering code integrity and fostering trust.
  2. Run Phase: Initiating a Confidential VM is as simple as a single RUN command. Anjuna's Policy Manager (APM) validates the cryptographic measurements before sharing necessary secrets with the app or microservice. This validation attests to the code's untampered state, guaranteeing security and peace of mind.

From zero to fortified security, Anjuna's integration with Google Cloud Confidential Computing is a seamless journey.

Anjuna makes things easier by automating build and attestation

Google Cloud makes it easy to migrate applications to Google Cloud Confidential Computing infrastructure. With a few clicks on the Google Cloud dashboard, select VM type, guest OS image, and configure storage, networking, and management. The result is a fully operational VM with memory encryption. During this phase, fine-tune attestation and secret management settings to perfection. 

Attestation stands as a crucial component, verifying the integrity and trustworthiness of your deployed code. Relying solely on memory encryption can leave vulnerabilities to potential malicious code. 

Anjuna aims to build on Google Cloud core capabilities for utmost trust and security, while keeping operations simple. When using Anjuna on Google Cloud, enclave measurements are auto-calculated during build, ensuring runtime VM integrity – disk, networking, and secret loading instructions. This vital process establishes trust and maximizes Confidential Computing's isolation potential.

Applications need a secure start with secrets and configurations, free from leakage risks. Creating a comprehensive attestation and secrets automation system is intricate, especially for full security and cloud provider independence. Anjuna simplifies secure secret distribution through the Anjuna Policy Manager (APM). The APM is an attestation-aware secret manager enabling seamless secret retrieval and injection into Anjuna's Confidential Containers. The Anjuna Confidential Runtime attests, verifies with APM, retrieves the secret, and injects it into the app. This seamless process abstracts from the app, requiring no modifications. The APM also interfaces with customers' key management systems.

Anjuna elevates security by narrowing trust boundaries 

Google Cloud confidential VMs ensure robust defense against external threats like the hypervisor, host, cloud operators, and co-hosted VMs.

Anjuna takes security to the next level by deploying apps inside Anjuna Confidential Containers, all while maintaining "lift and shift" simplicity. This approach adds isolation and guards against guest OS, VM misconfigurations, and the risks associated with neighboring apps. The container minimizes attack surfaces, limits admin access, and decreases blast radius with one container per VM. This assures container integrity and confidentiality, averting ripple effects from one breach.

When it comes to implementing remote attestation, Anjuna includes it out of the box at the container level. Combined with our Confidential Containers, Anjuna allows customers to achieve precise, granular application-level remote attestation, enabling secure delivery of keys and secrets to designated workloads and maximizing trust.

At Anjuna, we believe that Confidential Computing should serve as the bedrock of cloud infrastructure, ensuring steadfast and trustworthy operations across diverse organizations. Our partnership with Google Cloud underscores our commitment to providing solutions that redefine security as a business catalyst, ensuring seamless adoption while upholding robust protection. Our newly augmented capabilities resonate with the evolving security demands of our customers.

We invite you to join us for an engaging live demo, where you can experience firsthand how Anjuna can simplify your Confidential Computing journey.

More like this
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Try Free