Shielded VM: Your ticket to guarding against rootkits and exfiltration

In the cloud, establishing trust in your environment is multifaceted, involving hardware and firmware, as well as host and guest operating systems. Unfortunately, threats like boot malware or firmware rootkits can stay undetected for a long time, and an infected virtual machine can continue to boot in a compromised state even after you’ve installed legitimate software.

Last week at Google Cloud Next ’19, we announced the general availability of Shielded VM–virtual machine instances that are hardened with a set of easily configurable security features that assure you that when your VM boots, it’s running a verified bootloader and kernel.

Shielded VM can help you protect your system from attack vectors like:

• Malicious guest OS firmware, including malicious UEFI extensions

• Boot and kernel vulnerabilities in guest OS

• Malicious insiders within your organization

To guard against these kinds of advanced persistent attacks, Shielded VM uses:

• Unified Extensible Firmware Interface (UEFI): Ensures that firmware is signed and verified

• Secure and Measured Boot: Help ensure that a VM boots an expected, healthy kernel

• Virtual Trusted Platform Module (vTPM): Establishes a root-of-trust, underpins Measured Boot, and prevents exfiltration of vTPM-sealed secrets

• Integrity Monitoring: Provides tamper-evident logging, integrated with Stackdriver, to help you quickly identify and remediate changes to a known integrity state

Gemalto, a global security company focused on financial services, enterprise, telecom, and public sectors, turned to Shielded VM for its SafeNet Data Protection On Demand Cloud HSM solution, which provides a wide range of cloud HSM and key management services through a simple online marketplace.

“Shielded VM lets us better protect sensitive applications in the cloud,” said Raphael de Cormis, VP Innovation at Gemalto. “Using Shielded VM, we envision our customers get increased protection from remote attacks and can meet strict regulatory requirements for data protection and encryption key ownership. And the point/click/deploy model of Shielded VM makes increasing security quick and simple.”

Image availability
Shielded VM is available in all of the same regions as Google Compute Engine, and there is no separate charge for using it. Shielded VM is available for the following Google-curated images:

• CentOS 7

• Container-Optimized OS 69+

• Red Hat Enterprise Linux 7

• Ubuntu 16.04 LTS (coming soon)

• Ubuntu 18.04 LTS

• Windows Server 2012 R2 (Datacenter Core and Datacenter)

• Windows Server 2016 (Datacenter Core and Datacenter)

• Windows Server 2019 (Datacenter Core and Datacenter)

• Windows Server version 1709 Datacenter Core

• Windows Server version 1803 Datacenter Core

• Windows Server version 1809 Datacenter Core

You can also find Shielded VM in the GCP Marketplace. These images, brought to you in collaboration with the Center for Internet Security (CIS), include:

• CIS CentOS Linux 7

• CIS Microsoft Windows Server 2012 R2

• CIS Microsoft Windows Server 2016

• CIS Red Hat Enterprise Linux 7

• CIS Ubuntu Linux 18.04

“Bringing CIS Hardened Images to Shielded VM gives users a VM image that’s been both hardened to meet our CIS Benchmarks, and that’s verified to protect against rootkits,” said Curtis Dukes, Executive Vice President of Security Best Practices at CIS. “These additional layers of security give customers a platform they can trust to protect their critical applications.”

And if you prefer to import a custom image, Shielded VM now lets you transform an existing VM into a Shielded VM that runs on GCP, bringing verifiable integrity and exfiltration resistance to your existing images.

Getting started
It’s easy to get started with Shielded VM. In the GCP Console, when you’re creating a new VM instance or instance template, simply check the “Show images with Shielded VM features” checkbox.