in the Cloud
There is an explosion of data in terms of volume and complexity due to the exponential growth in cloud computing, mobile data traffic, and the development and adoption of technologies that depend on connected systems, processes, workflows, and applications. Movement away from legacy on-premises systems — accelerated by the need to support virtual work environments and enable a remote workforce — results in the need to secure multiple architectures and cloud environments.
Native security controls offered by cloud providers are often inadequate for many organizations as the data and encryption keys to access the data are stored in the same location. And even with bring-your-own-key (BYOK) models, cloud providers retain access to your keys. For any organization collecting, processing, analyzing, and retaining sensitive or regulated information, data security and privacy quickly become blockers to rapid cloud adoption because they require a completely different trust model.
Here are some common considerations:
Organizations are faced with a number of challenges when moving sensitive data to the cloud.
How do I decouple security from storage so that there is a clear separation of responsibility between my data and the keys used to secure it?
How do I externalize policy into a separate abstracted layer to manage authorization across any environment?
How do I respond rapidly to threats, regulations, and business drivers in a dynamic manner?
How can I implement an inexpensive solution to store a lot of sensitive data in the cloud but access that data as if it were on disk?
How do I gain real-time insight into authorization decisions and policy enforcement across my organization?
As data is being shared internally and externally — across disparate applications, environments, data stores, devices, and services — securing and controlling access to it is critical. To solve modern security challenges, a paradigm shift is required. The context of every access point — identity, role, location, risk profile, and other attributes—needs to be considered to dynamically authorize access to your data.
Policy has become the new perimeter, and to solve modern challenges you need to -
- Add security controls to reduce the risks associated to misconfiguration of cloud storage locations
- Restrict cloud providers from having access to your sensitive data at rest
- Implement a data-centric approach to authorize access in any environment
- Use the same keys and policies across clouds an on-premises environments
- Augment role-based access control (RBAC) with attribute-based access control (ABAC) for additional context
- Authorize the level of access entities are granted based on the context of each request
- Maintain and manage your encryption keys outside of the cloud providers’ infrastructure and not store copies of your key materials in their environment
- Maintain full transparency for every data handling and authorization decision
How Does Machina Solve These Challenges?
Machina delivers an authorization framework that is external to applications, systems, and the cloud providers, providing a consistent way to define and enforce authorization decisions to applications, resources, services, and data, using both role- and attribute-based access controls coupled with user-controlled encryption.
Machina delivers client-side encryption and decryption across major cloud providers — AWS S3, Azure Blob, and GCS — with a unified API and 3rd party keys. With this data-centric approach, you can manage access in every environment at the same time, allowing you to scale authorization consistently across your organization.
Machina enables you to -
- Manage policies centrally for both on-premises and multicloud environments
- Deliver dynamic authorization in any environment
- Consider the full context of every authorization request using role-based and attribute-based access controls (RBAC & ABAC)
- Maintain separation between your data in the cloud and the encryption keys used to secure them
- Satisfy compliance mandates with full visibility into who has access to your keys and when they have been used
- Leverage pre-built Ionic cloud connectors to secure your data in the major cloud providers or implement your own using industry-standard Machina APIs/SDKs
External Authorization Management
Provide consistent authorization across entities in any environment by leveraging Machina as an authorization framework that is external to cloud providers
Centralized Policy Management
Define and manage access policies (RBAC/ABAC) centrally from a single console to enforce dynamic authorization to data and resources across your organization
Operationalize Compliance Enforcement
Operationalize real-time policy decisions at scale using an ABAC framework, where context is key to verifying the integrity of each access request
Maintain and manage your encryption keys in an external system, completely outside of the cloud providers’ infrastructure and services
Deliver proof of compliance by providing a single solution for auditing data handling and authorization transactions across your organization
Machina Benefits & ROI
Single, Unified Solution
Machina is the only policy-based authorization engine that consistently delivers real-time access decisions in any environment (cloud, on-premises, and hybrid).
- Reduce costs by using a single solution that unifies dynamic access controls, centralized policy management (RBAC/ABAC), encryption key management, and analytics
- Meet complex compliance requirements by gaining auditable visibility into data handling and authorization decisions across your organization
- Futureproof your data security and access control strategy
Dynamic Authorization Policies
Machina is designed with a ABAC policy engine at its core that is natively equipped to establish an external authorization framework to separate runtime access logic from application code. Appropriate data handling policies can be implemented through industry-standard APIs and SDKs that do not require special skills or in-depth security knowledge.
- Rapidly enforce regulatory compliance mandates
- Reduce or eliminate fines and penalties
- Reduce operational costs by separating duties
- Scale consistent policy management across the organization
Partnership with the Major Cloud Providers
Technology partnerships with AWS, Azure and Google Cloud offer easy solution implementations. Developers can use Machina Tools in new or existing applications to apply cryptographic security to data by abstracting key management, policy enforcement, and audit logging from their application code.
- Optimize your cloud investments to drive innovation
- Satisfy regulatory compliance requirements
- Implement customer-managed trust
- Reduce operational costs and increase efficiency gains
- Standardize on single, environment-agnostic solution
- Maintain clear separation of duties between developers and policy teams
- Deploy rapidly using industry-standard APIs and SDKs
Patented Key Management System (KMS)
Machina provides the highly available architecture needed to create and retrieve keys with low latency and global scalability supporting trillions of keys. Because different keys are used for each "piece" of data, the decision to release a key can include very specific information and the access to data being protected by that key is greatly limited. This reduces the need for key rotation, drastically decreasing the security risk exposure should a key be leaked or /compromised. Machina is designed to tie access controls to the keys themselves, not to the data that those keys protect, which has important ramifications for privacy and operational scalability.
- Focus on performance with a highly scalable and available solution
- Reduce risk exposure of each key
- Reduce operational costs by standardizing on a single, cloud-agnostic solution
- Drive consistent implementation across all environments