Confidential Virtual Machines (Confidential VMs or CVMs) are an advanced type of cloud computing instance designed to protect data while it is actively being processed in memory. Unlike traditional encryption, which secures data only at rest (in storage) or in transit (over networks), CVMs leverage hardware-based Trusted Execution Environments (TEEs) to ensure that sensitive data remains protected even during computation.
This approach prevents unauthorized access, including from privileged users such as cloud administrators or the cloud provider itself. Today, all major CPU manufacturers provide such capabilities in their latest processor generations, including technologies like AMD SEV-SNP and Intel TDX.
CVMs are a core component of the broader Confidential Computing paradigm, which aims to strengthen data privacy and security across public and private cloud environments. They are particularly relevant for sovereign use cases, including the processing of sensitive AI workloads, handling data in regulated industries, and securing cryptographic key management.
To accelerate deployment across public and private clouds, ensure consistency across environments, and enable rapid replication of production workloads, CanaryBit has developed Tower, a security orchestration platform for confidential computing.
CanaryBit Tower automates the provisioning, control, and lifecycle management of virtual resources, enabling organizations to build and operate secure execution environments at scale. It integrates with a wide range of cloud service providers, as well as private and bare-metal infrastructures, providing centralized governance over all components of the Trusted Execution Environment (TEE).
By adopting Infrastructure as Code (IaC) and SecDevOps methodologies, TOWER ensures repeatability, integrity, and high security standards throughout the entire workload lifecycle, from deployment to execution and teardown.
Key Benefits
- Deploys secure processing environments while continuously monitoring and preventing configuration drift
- Automatically provisions all required infrastructure resources, including one or more TEEs
- Orchestrates TEEs across public cloud providers, private environments, or on-premises infrastructure
- Enables full lifecycle management, including automated teardown of resources after execution or in case of compromise
