Cysec product called ARCA Trusted OS (ARCA) is a secure container orchestration platform composed of a container-specific hardened Linux-based Operating System and a vanilla Kubernetes. ARCA supports confidential VMs provided by Google Cloud Platform (GCP) since its version 1.4.0 released in August 2021. The goal of this first step was to protect data in-use of end-users performing container orchestration within public clouds. Kubernetes is a very robust and widely used container orchestrator, however it provides access rights to control plan administrators allowing them to get access to any data in any of the containers they orchestrate. The OS of ARCA 1.4.0 supports GCP confidential VMs that isolate containers executed inside this VM from workloads in other VMs and CSP host OS and hypervisor. ARCA 1.4.0 kubernetes orchestrator allows end-users to orchestrate their containers without taking the risk of a security breach of a CSP managed kubernetes control plan. Furthermore, ARCA 1.4.0 comes with a by-default full disk encryption mechanism to protect data stored in ARCA instance images. The encryption/decryption keys used to protect the confidentiality of the instance images in public clouds are stored in a v-TPM. With these three isolation mechanisms, ARCA 1.4.0 is an execution environment adding an extra layer of protection on containers running in public clouds. This extra layer isolates data in ARCA instance images while they are stored in both volatile or nonvolatile memories from other workloads and CSP administrators.
ARCA 1.6.0 is a second step made by Cysec towards confidential execution of containers within Google Cloud. ARCA 1.4.0 provides a secure execution environment isolated from the CSP and from other workloads. ARCA 1.6.0 addresses the issue of the automatisation of the deployment at scale of this secure execution environment. Note that this automated deployment shall be performed in a manner that prevents the compromission of the confidentiality and integrity of the code and data of end-users in the case of a security breach in the public cloud infrastructure. ARCA 1.6.0 is compatible with Terraform which allows end-users to perform a secure deployment of GCP confidential VMs at large scale. Furthermore, ARCA 1.6.0 includes cloud-init that automatises the ARCA instances. Finally, ARCA 1.6.0 embeds Google Guest Agent for a better integration with the GCP environment. With this ensemble of tools, ARCA 1.6.0 can be simply deployed and configured at scale in GCP confidential VMs. Moreover, Cysec proposes configuration settings once the cluster deployment of confidential VMs running ARCA is accomplished, so that the automation tools and agents cannot be potential points of security breaches while the business is operated