Strengthen your cloud cyber security with Ubuntu Pro and confidential VMs

In today’s digital landscape, organisations of all sizes have expanded their presence in the cloud. But with this expansion comes a significant increase in the attack surface, making security a top concern. In this blog, we will dive into the exciting world of cloud cyber security, and explore a stronger approach to securing your workloads with the help of Ubuntu.

Why does your OS choice matter for cloud cyber security?

Let’s first talk about why your choice of operating system matters for security. While developers put in a lot of effort to secure their applications, the security guarantees they provide are just one piece of the puzzle.

Once your application is running on a platform in production, threats can still arise from the privileged system software, which includes the operating system, virtual machine manager, and the platform’s firmware.

By design, this software has extensive access to all of your application’s resources, and if it ever becomes malicious or compromised, it can leak all of your application’s sensitive data. Therefore, It is crucial to recognise that the security of the operating system sets the upper limit for application security. So what security measures does Ubuntu offer for cloud workloads?

Cloud cyber security with Ubuntu 

Ubuntu offers many built-in security features like Full disk encryption, Mandatory Access Control via AppArmor, filesystem capabilities and UEFI secure boot. To further improve your security posture, you can also enable additional security features with an Ubuntu Pro subscription.

Ubuntu Pro is Canonical’s comprehensive subscription for open source software security. When used on the public cloud, Ubuntu Pro will take your security to a whole new level. Let us  break down what’s included:

1. Wide security coverage: Ubuntu Pro provides comprehensive security patching for over 25,000 open-source packages, including popular applications like Apache Kafka, NGINX, MongoDB, Redis, and PostgreSQL.
2. Reduced downtime: With Ubuntu Pro’s Livepatch Service, you can enjoy instantaneous patches of your kernel’s high and critical CVEs at run time, with no need for an immediate reboot. This can greatly minimise your business disruptions and maximise your  uptime.
3. 10 years of platform stability and peace of mind: Canonical guarantees 10 years of security maintenance for Ubuntu Pro users running LTS releases, ensuring a decade of stability and protection for your workloads.
4. Compliance certifications Ubuntu Pro offers automation and auditing tooling for DISA-STIG, CIS hardening and auditing, FIPS-certified cryptographic modules, and more. It simplifies compliance processes and helps you meet regulatory requirements effortlessly.
5. 24/7 support: Optional weekday or 24/7 support is also available with Ubuntu Pro, ensuring that you have expert assistance whenever you need it. It includes troubleshooting, break fix and bug fix on 25,000 open source packages and a wide set of applications, with 1 hour first response time for critical, disruptive issues with 24/7 support.

Ubuntu Pro is free for up to 5 machines for personal and small-scale commercial use, or up to 50 machines for official Ubuntu Community members.

Get started with Ubuntu Pro today

Enhancing cloud cyber security with confidential computing

While security hardening and automated CVE patching are essential for protecting your public cloud workloads from known security vulnerabilities, they cannot protect your data from zero-day vulnerabilities within the cloud’s privileged system software, or from a potentially malicious cloud provider. 

This is because, up until recently, there were no available mechanisms for protecting sensitive workloads at run-time. Today, confidential computing offers a systems-level primitive that allows you to run your applications within a hardware-rooted logically isolated execution environment. 

Ubuntu Confidential VMs

Using AMD SEV-SNP or Intel TDX CPU extensions, you can deploy Ubuntu Confidential VMs whose system memory and CPU registers are encrypted using the latest AES-128 hardware encryption engine. 

Because workloads running in the cloud are loaded from a hard disk, Ubuntu also leverages its full disk encryption capabilities to secure your data at rest.

Using AES, Ubuntu encrypts and decrypts all data written at disk, storing the encryption key (itself encrypted) in your VMs virtual disk. Only the virtual Trusted Platform Module (vTPM) associated with your CVM instance can decrypt the key.

With Ubuntu’s Confidential VMs, your data is secured at runtime, rest, and boot. 

At Canonical, We strongly believe that in the future, confidential computing and privacy-enhancing technologies will become the standard approach to computing. That’s why our portfolio of confidential computing solutions is available for free on all public clouds.

To learn more about this topic, we invite you to read our whitepaper which provides an in-depth discussion on adopting a stronger approach to Azure cloud cyber security with Ubuntu.

Combining Ubuntu Pro and Confidential VMs

Confidential computing introduces a security model where CVMs protect data from external software threats. However, vulnerabilities from within their boundaries remain a concern. This is where Ubuntu Pro becomes essential. Ubuntu Pro offers security measures to tackle vulnerabilities within the CVM’s software stack or the guest OS. Regular security patching and updates provided by Ubuntu Pro mitigate this risk. For a detailed exploration on the importance of securing your CVM from internal vulnerabilities, you can read our in-depth article here. This integration ensures a more secure environment suitable for enterprise operations and is compatible with both AMD SEV-SNP hardware and, for those in the Azure limited preview, Intel TDX.

How to Deploy Ubuntu Confidential VMs on Azure

To deploy a new Confidential VM with Ubuntu Pro, use the Azure CLI command as follows:

az vm create \
--resource-group "${RESOURCE_GROUP}" \
--name "${VM_NAME}" \
--size Standard_DC4as_v5 \
--enable-vtpm true \
--image "Canonical:0001-com-ubuntu-confidential-vm-focal:20_04-lts-cvm:latest" \
--security-type ConfidentialVM \
--os-disk-security-encryption-type VMGuestStateOnly \
--enable-secure-boot true \
--license-type UBUNTU_PRO

The –license-type UBUNTU_PRO flag is the key for deploying Ubuntu Pro. 

In-Place Upgrade of Ubuntu Confidential VMs on Azure

Existing Confidential VM Ubuntu LTS VMs can be upgraded to Ubuntu Pro using a few commands. For more details, you can visit our In-Place Upgrade announcement.

Deploy secure Ubuntu workloads on the public cloud today

Using Ubuntu on the public cloud provides you the foundation you need to fortify your cloud workloads. With Ubuntu Pro’s extended security coverage, reduced downtime, compliance tooling, and confidential computing support, you can gain confidence and peace of mind with state-of-the-art security.

Take your cyber cloud security to the next level with https://ubuntu.com/pro and confidential VMs and build a solid foundation for your security-sensitive environments.

Learn more about Ubuntu security

If you would like to know more about the Canonical approach to security at large, contact us. 

Additional resources

• Contact us
• Ubuntu Pro | product page
• Ubuntu Pro 20.04 on Azure Marketplace Microsoft Azure Marketplace
• Watch our webinar to learn more about confidential computing
• Read our blog post for “What is confidential computing? A high-level explanation for CISOs”
• Read our blog post for “Confidential computing in public clouds: isolation and remote attestation explained”
• Start creating and using Ubuntu CVMs on Azure
• Is Linux Secure?