In order to demonstrate how Machina can secure, control access to, and provide audit capabilities for blob storage in the big three cloud storage providers (CSPs), Ionic has written a demo application that we informally refer to as the “Machina cloud copy tool”. Apart from being a powerful demo tool for Machina, it also serves as an example implementation for how to secure data across different cloud providers, where the protection follows the data. With misconfigured cloud buckets being one of the most important paths for data leaks – with hundreds of millions of people’s data exposed in dozens of high profile breaches – it is clear that many organizations are struggling with how to adequately protect data that is migrated to the cloud.
The cloud storage providers make it clear that they provide the infrastructure, and they only secure that infrastructure. The customer is expected to provide the security and access control for the data itself, and this can become a problem, especially for enterprises that utilize (or wish to utilize) more than a single CSP vendor, since the access control feature sets and methods vary between them. Machina provides the ability to solve this data protection problem, and the cloud copy tool shows one way to implement it.
The tool capabilities include ability to:
- Copy a plaintext file from the local filesystem to a protected blob in a CSP bucket.
- Specify metadata (e.g., “this file contains PII and credit card numbers”), which is then actionable by the powerful policy engine in Machina.
- Copy protected data from one CSP blob to another CSP blob, where the protection and the metadata follows. As an example, you can copy an encrypted blob from Amazon S3 to an encrypted blob in Google Cloud Storage, with the metadata intact.
- Copy data from a CSP back to the local filesystem, optionally removing the protection locally.
With the data encrypted in the CSP blob, the bucket configuration becomes less important. Even if you leave your cloud buckets wide open, the only thing that a potential attacker has access to is cryptographically protected content. Access to the encryption key is determined by Machina policy in real-time, which means that you can protect your data today (and provide meaningful metadata), and make changes to the access control policy for that data at a later time.
While Machina cloud copy tool is a useful utility in its own right, the main idea behind developing it was to provide examples for other developers in how to use Machina. The Java source code for the tool is available on Github, and you can also view a demonstration of how it works below.