Customer-Managed Trust with Google and Ionic

Customer-Managed Trust in the Cloud Made Simple By Google and Ionic Security

Automation, Consistency, Precision, Privacy, Security, and Simplicity

What do automation, consistency, precision, privacy, security, and simplicity have in common? All are required components of achieving a manageable state of trust in today’s digital-first world. Without each of these working together with the others, you end up with a human-scale approach to a machine-scale problem.

Today we are excited to announce a major step forward in achieving customer-managed trust in the cloud as part of a collaboration between the Google Cloud team and Ionic MachinaTM.  With the launch of Google Cloud’s External Key Manager service — which will be further extended in the future with detailed attributes as part of each key request in the form of Key Access Justifications — it has never been easier to separate duties and achieve positive control over the handling of your data in the cloud. 

In practice, this means that the data protection keys (DPKs) are themselves encrypted by external encryption keys provided by your Machina instance. With External Key Manager, Google Cloud would need to leverage an encryption key from your Machina instance to gain access to your data-at-rest.

“At Google Cloud, we give enterprises a broad range of encryption options to appropriately balance risk, control, security and operational complexity when protecting cloud workloads,” said Il-Sung Lee, product manager at Google Cloud. “Today, in collaboration with Ionic, we’re bringing customers the next level of controls for their cloud environments with External Key Manager and making it easy to implement and support our customers’ governance and compliance processes.”

The collaboration between Google and Ionic began in earnest sometime ago, catalyzed by the ingenuity and conviction of our mutual customers who desired to adopt cloud services while maintaining independent and consistent data handling governance.  With this integration, Machina gives Google customers autonomous external encryption key management, attribute-based access controls (ABAC), real-time policy enforcement, and auditable visibility. This new reality provides an unprecedented level of comfort for cloud migration and app modernization.

Automation: Unlike traditional bring your own key (BYOK) approaches, Machina with Google Cloud’s External Key Manager is fully autonomous, utilizing a first-party protocol to make pull-based — rather than customer-initiated, push-based — API requests for specific data encryption keys directly from the Google Cloud Service that has External Key Manager enabled. 

Consistency: By enabling a pull-based protocol natively in Google Cloud services such as BigQuery and Compute Engine, Machina and External Key Manager allow customers to maintain a common and consistent system of record for encryption key and ABAC policy management across services and providers. This concept may sound familiar as it is conceptually aligned with the identity and access management (IAM) workflow most enterprises and cloud providers have already adopted.

Precision: With the first-of-kind Key Access Justification feature (coming to alpha), each key request made by an EKM-supported Google Cloud service to your Machina instance will contain detailed context about the reason needed to gain access to data, which can be considered prior to a key release taking place. In more traditional scenarios, key release functions like a light switch of sorts. It’s either all on or all off; considering the context of the request simply isn’t an option.

Privacy: As all DPKs are themselves protected by Machina, your ability to assure which data has and has not been accessed is now greatly enhanced. In the future, with a single API call to Machina, you will be able to determine which services — under what circumstances and at what moments in time — gained or were denied access to specific key material associated with specific data sets. Utilizing the rich ABAC policy capabilities of Machina, your ability to map appropriate handling of your data inside Google Cloud services as required by various regulations is only a few clicks away.

Security: With Google Cloud’s External Key Manager backed by Machina as a third party, you will achieve separation of duties for all data handling workflows: creation, processing, export, transport, etc. No Google service can gain logical (unencrypted) access to your data-at-rest without first seeking, and being granted, the specific and appropriate encryption key from your Machina instance.

Simplicity: Both Google and Ionic agreed early in our collaboration that even if this concept was achievable technically, it would fail if it was not very simple to implement. Our teams went to great lengths to make the management of the combined solution as seamless and cohesive as possible. 

In summary, Google is the first major cloud provider to permit a third party into the risk model, enabling a scenario that is fully autonomous, allows for consistency in ways similar to IAM, provides for granular precision of data handling, delivers verifiable privacy outcomes, separates duties in cryptographically verifiable ways, and is accessible in a few clicks of a button.

We could not be more excited to bring this solution to market with the Google Cloud team and look forward to helping your organization accelerate your cloud strategy with simple and powerful customer-managed trust.