Securing Cloud Data - Ionic Delivers Policy Access Management

Securing Data
in the Cloud


There is an explosion of data in terms of volume and complexity due to the exponential growth in cloud computing, mobile data traffic, and the development and adoption of technologies that depend on connected systems, processes, workflows, and applications. Movement away from legacy on-premises systems — accelerated by the need to support virtual work environments and enable a remote workforce — results in the need to secure multiple architectures and cloud environments.

Native security controls offered by cloud providers are often inadequate for many organizations as the data and encryption keys to access the data are stored in the same location. And even with bring-your-own-key (BYOK) models, cloud providers retain access to your keys. For any organization collecting, processing, analyzing, and retaining sensitive or regulated information, data security and privacy quickly become blockers to rapid cloud adoption because they require a completely different trust model.

Here are some common considerations:

How do I securely work with sensitive data across multiple clouds but retain the same control and security mechanisms wherever it goes?

How can I remain accountable for data security and privacy even when I have almost no direct control over the infrastructure processing the data?

How do I avoid lock-in with cloud-specific controls?


Organizations are faced with a number of challenges when moving sensitive data to the cloud.


How do I decouple security from storage so that there is a clear separation of responsibility between my data and the keys used to secure it?


How do I externalize policy into a separate abstracted layer to manage authorization across any environment?

Cloud Migration and Adoption Security Challenge icon

How do I respond rapidly to threats, regulations, and business drivers in a dynamic manner?


How can I implement an inexpensive solution to store a lot of sensitive data in the cloud but access that data as if it were on disk?


How do I gain real-time insight into authorization decisions and policy enforcement across my organization?

As data is being shared internally and externally — across disparate applications, environments, data stores, devices, and services — securing and controlling access to it is critical. To solve modern security challenges, a paradigm shift is required. The context of every access point — identity, role, location, risk profile, and other attributes—needs to be considered to dynamically authorize access to your data.

Asset 9

Policy has become the new perimeter, and to solve modern challenges you need to -

  • Add security controls to reduce the risks associated to misconfiguration of cloud storage locations
  • Restrict cloud providers from having access to your sensitive data at rest
  • Implement a data-centric approach to authorize access in any environment
  • Use the same keys and policies across clouds an on-premises environments
  • Augment role-based access control (RBAC) with attribute-based access control (ABAC) for additional context
  • Authorize the level of access entities are granted based on the context of each request
  • Maintain and manage your encryption keys outside of the cloud providers’ infrastructure and not store copies of your key materials in their environment
  • Maintain full transparency for every data handling and authorization decision

How Does Machina Solve These Challenges?

Machina delivers an authorization framework that is external to applications, systems, and the cloud providers, providing a consistent way to define and enforce authorization decisions to applications, resources, services, and data, using both role- and attribute-based access controls coupled with user-controlled encryption.

Machina delivers client-side encryption and decryption across major cloud providers — AWS S3, Azure Blob, and GCS — with a unified API and 3rd party keys. With this data-centric approach, you can manage access in every environment at the same time, allowing you to scale authorization consistently across your organization.

Machina enables you to -

  • Manage policies centrally for both on-premises and multicloud environments
  • Deliver dynamic authorization in any environment
  • Consider the full context of every authorization request using role-based and attribute-based access controls (RBAC & ABAC)
  • Maintain separation between your data in the cloud and the encryption keys used to secure them
  • Satisfy compliance mandates with full visibility into who has access to your keys and when they have been used
  • Leverage pre-built Ionic cloud connectors to secure your data in the major cloud providers or implement your own using industry-standard Machina APIs/SDKs

Machina Delivers:

Regulatory Compliance and Reporting Challenge icon
External Authorization Management

Provide consistent authorization across entities in any environment by leveraging Machina as an authorization framework that is external to cloud providers

Regulatory Compliance and Reporting Challenge icon
Centralized Policy Management

Define and manage access policies (RBAC/ABAC) centrally from a single console to enforce dynamic authorization to data and resources across your organization

Regulatory Compliance and Reporting Challenge icon
Operationalize Compliance Enforcement

Operationalize real-time policy decisions at scale using an ABAC framework, where context is key to verifying the integrity of each access request

Regulatory Compliance and Reporting Challenge icon
External Key

Maintain and manage your encryption keys in an external system, completely outside of the cloud providers’ infrastructure and services

Regulatory Compliance and Reporting Challenge icon

Deliver proof of compliance by providing a single solution for auditing data handling and authorization transactions across your organization

Machina Benefits & ROI

Single, Unified Solution

Machina is the only policy-based authorization engine that consistently delivers real-time access decisions in any environment (cloud, on-premises, and hybrid).

  • Reduce costs by using a single solution that unifies dynamic access controls, centralized policy management (RBAC/ABAC), encryption key management, and analytics
  • Meet complex compliance requirements by gaining auditable visibility into data handling and authorization decisions across your organization
  • Futureproof your data security and access control strategy

Dynamic Authorization Policies

Machina is designed with a ABAC policy engine at its core that is natively equipped to establish an external authorization framework to separate runtime access logic from application code. Appropriate data handling policies can be implemented through industry-standard APIs and SDKs that do not require special skills or in-depth security knowledge.

  • Rapidly enforce regulatory compliance mandates
  • Reduce or eliminate fines and penalties
  • Reduce operational costs by separating duties
  • Scale consistent policy management across the organization

Partnership with the Major Cloud Providers

Technology partnerships with AWS, Azure and Google Cloud offer easy solution implementations. Developers can use Machina Tools in new or existing applications to apply cryptographic security to data by abstracting key management, policy enforcement, and audit logging from their application code.

  • Optimize your cloud investments to drive innovation
  • Satisfy regulatory compliance requirements
  • Implement customer-managed trust
  • Reduce operational costs and increase efficiency gains
    •  Standardize on single, environment-agnostic solution
    •  Maintain clear separation of duties between developers and policy teams
    •  Deploy rapidly using industry-standard APIs and SDKs

Patented Key Management System (KMS)

Machina provides the highly available architecture needed to create and retrieve keys with low latency and global scalability supporting trillions of keys. Because different keys are used for each "piece" of data, the decision to release a key can include very specific information and the access to data being protected by that key is greatly limited. This reduces the need for key rotation, drastically decreasing the security risk exposure should a key be leaked or /compromised. Machina is designed to tie access controls to the keys themselves, not to the data that those keys protect, which has important ramifications for privacy and operational scalability.

  • Focus on performance with a highly scalable and available solution
  • Reduce risk exposure of each key
  • Reduce operational costs by standardizing on a single, cloud-agnostic solution
  • Drive consistent implementation across all environments