Profile Applicability:

  • Level 2

Description:

Google Cloud provides Confidential Computing, a feature that encrypts data in-use during processing. This breakthrough technology ensures that customer data is encrypted in memory and other areas outside the central processing unit (CPU). Confidential VMs leverage Secure Encrypted Virtualization (SEV) provided by AMD EPYC™ CPUs, ensuring data remains encrypted while being processed, queried, or trained.

Rationale:

Confidential Computing ensures that sensitive data and code remain encrypted in memory, mitigating risks associated with unauthorized access. Encryption keys are hardware-generated, non-exportable, and specific to each VM. By implementing this technology, organizations can reduce the risk of insider threats and unauthorized data exposure, enhancing trust in Google Cloud's infrastructure.

Impact:

  • Disruptions During Maintenance: Confidential VMs do not support live migration, so they may experience downtime during maintenance events.

  • Additional Costs: Enabling Confidential Computing may incur extra charges. For more details, refer to Google Cloud Confidential VM Pricing.

Default Value:

By default, Confidential Computing is disabled for Compute instances.

Audit Steps:

From Google Cloud Console:

  1. Navigate to the VM instances page: VM Instances.

                

  1. Select the instance to view its details.

                   

  1. Verify that the Confidential VM service is enabled.

From Google Cloud CLI:

List all instances and their configurations:

gcloud compute instances list --format=json

  1. Check the enableConfidentialCompute property under the confidentialInstanceConfig section. Ensure its value is true for all instances using machine types starting with n2d-.

Remediation Steps:

Confidential Computing can only be enabled during instance creation. Existing instances need to be deleted and recreated with this feature enabled.

From Google Cloud Console:

  1. Navigate to the VM instances page.

                   

  1. Click create  instance

           

  1. Configure the desired instance settings.

  2. Under the Confidential VM section, check Enable the Confidential Computing service on this VM instance.

  3. Click Create to launch the instance.

From Google Cloud CLI:

Create a new instance with Confidential Computing enabled:

gcloud compute instances create <INSTANCE_NAME> --zone <ZONE> --confidential-compute --maintenance-policy=TERMINATE

Backout Plan:

Disable Confidential Computing: If confidential computing needs to be disabled, run the following command to disable it on an existing instance:

gcloud compute instances update [INSTANCE_NAME] \--zone [ZONE] \
--no-confidential-compute

This command will remove confidential computing settings from the instance.

  • Revert to Previous Instance Configuration:

               If you need to revert to the previous instance configuration, restore the instance to its original settings or recreate the                   VM without the confidential computing option.

  • Test and Verify: 

              After rolling back, verify that the instance is working as expected and that confidential computing is no longer enabled.

  • Notify Stakeholders:

               Notify the relevant teams and stakeholders about the backout and any operational impact it might have on workloads.

References:

  1. Creating a Confidential VM Instance

  2. About Confidential VMs

  3. Google Cloud Confidential Computing

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.11 Encrypt Sensitive Data at Rest

Encrypt sensitive data stored in servers, applications, and databases using methods such as storage-layer or application-layer encryption.


14.8 Encrypt Sensitive Information at Rest

Secure sensitive data at rest with tools requiring secondary authentication, ensuring access is restricted to authorized users.