Confidential Computing

Oracle today announced that Oracle Cloud Infrastructure (OCI) Compute instances can now have Confidential Computing enabled and included in the Compute instance pricing, at no extra cost.

Confidential Computing protects data in use at the hardware level. Powered by AMD EPYC™ processors, Confidential Computing allows customers to enable confidential virtual machines (VMs) with the help of AMD Infinity Guard features, such as secure encrypted virtualization (SEV) and confidential bare metal servers with secure memory encryption (SME). These features take advantage of security components available in 2nd and 3rd Generation AMD EPYC processors available in all OCI’s E3 and E4 shapes.

With AMD SEV, AMD EPYC processors help to safeguard integrity and privacy by using a unique key per VM for encryption of memory to isolate guests from the hypervisor and one another. With SME, a single key is generated by the AMD Secure Processor at boot and used to encrypt the full system memory. The encryption keys are safeguarded at the hardware level by the secure processor so that even Oracle doesn’t have access.

Confidential Computing has several benefits that organizations can consider as they decide whether to augment their security posture to include Confidential VMs or bare metal servers. By providing security through the lowest layers of hardware, Confidential Computing minimizes the list of trusted parties (OS, ecosystem partners, and administrators), thereby helping reduce the risk of data exposure. By providing a smaller attack surface and more security of data in use through a tightened hardware-based root of trust, it helps protect against some types of vulnerabilities such as insider threats and firmware compromises. In industries such as finance, healthcare, or other highly regulated industries, protecting data throughout its entire lifecycle is critical. Organizations can also use Confidential Computing to help meet and maintain regulatory compliance with regional and industry frameworks.