Externalizing Key Management for Cloud Data - Ionic

Externalizing Key Management for
Cloud Data


An increasing number of organizations today are embracing cloud storage and computing to take advantage of the derived cost savings and operational efficiencies. Cloud providers like Amazon Web Services, Google Cloud Platform, and Microsoft Azure offer highly secure cloud platforms with features like encryption at rest and in transit for data, the ability to build out private IP environments, and robust internal controls and auditing to protect against insider access to customer data.

However, cloud providers clearly state that you are responsible for securing your data and controlling how it is accessed and used. While you can use their services to meet compliance requirements, misconfigurations often lead to breaches. If a cloud provider has access to both your data and your keys, risk of unauthorized access increases. As you move your sensitive data to the cloud, securing and controlling access to it is essential to keep up with evolving regulations and to retain customer trust.

Here are some common considerations:

Both the business and my own engineering teams are pushing me to use cloud technologies, but how do I make the move when the data involved is too sensitive?

How do I mitigate the possibility of misconfigurations?

How can I respond to risks, threats, compliance mandates, and business drivers in real time?


Any organization looking at the cloud faces a number of challenging decisions -

Cloud Migration and Adoption Security Challenge icon

Cloud storage is cheap, but how do I access it easily, with all the fully-supported controls just like it was on disk in my own datacenter?


How do I consolidate key management technology to simplify my enterprise architecture across multiple clouds and on-prem environments?


How do I implement contextual authorization to enforce privileged access management?


How do I respond rapidly to threats, mandates, and business drivers in a dynamic manner?


How can I get a consolidated view of all data handling and access decisions across my organization?

Additionally, native security controls provided by cloud providers are often not adequate for regulated organizations as there is no separation between the stored data and the keys to access the data. Because organizations cannot reduce implicit trust placed in their cloud providers by maintaining full control over sensitive and regulated data, cloud services become too risky to use.

Asset 9

To build and maintain trust, you need to be able to -

  • Restrict cloud providers from having access to your data to respond to a blind subpoena that could also impact EU personal data
  • Maintain and manage your encryption keys outside of the cloud provider’s infrastructure and not store copies of your key materials in their environment
  • Enforce consistent access policies across on-premises and cloud environments
  • Extract runtime access logic from application code into an external system so that required changes can be implemented through policy, not code, and don't require a major modification effort for every application
  • Control data as it moves from an at-rest state to an in-use state
  • Grant or deny access to different entities at will, including the cloud service provider
  • Maintain full transparency for every data handling and authorization decision

How Does Machina Solve These Challenges?

Machina allows organizations to maintain complete control over storing and managing their encryption keys outside of a cloud provider’s infrastructure. The cloud provider has no access to your keys, allowing you to remove implicit trust from shared infrastructures. This opens the floodgates to what data and resources can be moved to the cloud to drive innovation.


Machina enables you to -

  • Maintain separation between your data in the cloud and the encryption keys used to secure them
  • Reduce risk and meet compliance mandates with full visibility into who has access to your keys and when they have been used
  • Manage policies centrally for both on-premises and cloud environments
  • Deliver dynamic authorization in any environment
  • Consider the full context of every authorization request using role-based and attribute-based access controls (RBAC & ABAC)
  • Implement an out-of-the-box integration for Google Cloud or leverage industry-standard APIs and SDKs for other cloud providers

Machina Delivers:

Regulatory Compliance and Reporting Challenge icon

Control the storage and distribution of your externally-managed keys for every request, managed completely outside the CSPs' infrastructure

Regulatory Compliance and Reporting Challenge icon

Enforce RBAC/ABAC policies in real-time to authorize access to data or resources

Regulatory Compliance and Reporting Challenge icon
Scalable Key

Manage your keys from a single location and user interface, whether the data they protect resides in the cloud or on premises

Regulatory Compliance and Reporting Challenge icon
Centralized Policy Management

Define, govern, and manage authorization policy centrally from a single console for any environment

Regulatory Compliance and Reporting Challenge icon

Deliver a single solution for auditing data handling and authorization transactions across your organization

Machina Benefits & ROI

Patented Key Management System (KMS)

Machina provides the highly available architecture needed to create and retrieve keys with low latency and global scalability supporting trillions of keys. Because different keys are used for each "piece" of data, the decision to release a key can include very specific information and the access to data being protected by that key is greatly limited. This reduces the need for key rotation, drastically decreasing the security risk exposure should a key be leaked or /compromised. Machina is designed to tie access controls to the keys themselves, not to the data that those keys protect, which has important ramifications for privacy and operational scalability.

  • Focus on performance with a highly scalable and available solution
  • Reduce risk exposure of each key
  • Reduce operational costs by standardizing on a single, cloud-agnostic solution
  • Drive consistent implementation across all environments

Partnership with the Major Cloud Providers

Technology partnerships with AWS, Azure and Google Cloud offer easy solution implementations. Developers can use Machina Tools in new or existing applications to apply cryptographic security to data by abstracting key management, policy enforcement, and audit logging from their application code.

Ionic is a selected GCP partner for Google Cloud External Key Manager (EKM). Machina for Google Cloud EKM externalizes key management to give you complete control over the security and privacy of your data and resources through services like BigQuery, Kubernetes Engine, Cloud SQL, Compute Engine.

  • Optimize your cloud investments to drive innovation
  • Satisfy regulatory compliance requirements
  • Implement customer-managed trust
  • Reduce operational costs and increase efficiency gains
    •  Standardize on single, environment-agnostic solution
    •  Maintain clear separation of duties between developers and policy teams
    •  Deploy rapidly using industry-standard APIs and SDKs

Dynamic Authorization Policies

Machina is designed with a ABAC policy engine at its core that is natively equipped to establish an external authorization framework to separate runtime access logic from application code. Appropriate data handling policies can be implemented through industry-standard APIs and SDKs that do not require special skills or in-depth security knowledge.

  • Rapidly enforce regulatory compliance mandates
  • Reduce or eliminate fines and penalties
  • Reduce operational costs by separating duties
  • Scale consistent policy management across the organization

Single, Unified Solution

Machina is the only policy-based authorization engine that consistently delivers real-time access decisions in any environment (cloud, on-premises, and hybrid).

  • Reduce costs by using a single solution that unifies dynamic access controls, centralized policy management (RBAC/ABAC), encryption key management, and analytics
  • Meet complex compliance requirements by gaining auditable visibility into data handling and authorization decisions across your organization
  • Futureproof your data security and access control strategy