The Simple Path to Protecting and Controlling Your Application Data

Learn how to use Ionic Machina to protect and control access to your application data.

Whether you’re a software development team lead at a prestigious financial institution assigned to redact personally identifiable information (PII) before releasing the next bankruptcy report, or you’re part of a development shop that has just been contracted by a large healthcare organization to help update their systems to meet HIPAA requirements, chances are you’ve been asked to obfuscate sensitive data.

Protecting sensitive data is not an uncommon requirement when building applications. In a recent survey, 71% of companies indicated they utilized encryption for some of their data in transit; 53% utilized encryption for some of their data in storage.

If you’re one of these developers, you’re looking at cryptolibraries to solve the problem. There are a lot of cryptolibraries out there, so what differentiates Machina Tools?

  1. Key management: Well-known cryptographer, Bruce Schneier, wrote “The security of an algorithm rests in the key. If you’re using a cryptographically weak process to generate keys, then your entire system is weak.” As the team’s lead, you don’t want to invest resources in building your own KMS, especially when that could become the weak link in securing sensitive data.
  2. Policy to control access: The SDKs in Machina Tools enable developers to control access using a consistent policy framework. Describe your data using key attributes, and your data is protected throughout its lifecycle. Ionic Machina allows you to control access in real-time using a consistent policy framework.

How Does it Work?

Using the SDKs in Machina Tools, you can generate a key, encrypt and protect your data, and return the results to your application using a single call, like so:

 cipher = ionicsdk.ChunkCipherAuto(agent) 

Here, ChunkCipherAuto() calls an instance of our Agent class, handles the key creation and key fetch, and encrypts the payload using standard AES-256 encryption.

Getting Started With the SDKs in Machina Tools

Before moving on, let’s test that. Getting started with the SDKs in Machina Tools is equally easy. Simply,

STEP 1: Sign up; STEP 2: Create Device Credentials; STEP 3: Install Machina Tools; STEP 4: Run "Hello, World!"

Congratulations, you’ve just encrypted and decrypted your first string. In this case, we didn’t even need to create a key. The SDK manages the entire process for us.

Working With Data Protection Keys

Quick encrypt/decrypt is great when you need to encrypt data like a file, string, or an object. But, what if you wanted to set the encryption algorithm, or encrypt parts of a record in a CSV file or a field in a database record?

The strategy here is to create encryption keys to protect each data set (like a column) or even individual pieces of data. With a key management system at your disposal, you can create as many keys as you want. As you’ll see in a moment, you can describe the specific data you are protecting using “key attributes.” Then, create policy rules to allow access based on attribute values.

First, let’s create a simple encryption key. Again, the SDKs in Machina Tools allows you to do this in your language of choice. For example, in Python you can create a new data-protection key by invoking a createkey() method like so:

 my_shiny_key = agent.createkey() 

You can also generate multiple keys and dole them out as needed.

 my_list_of_keys = agent.createkeys() 

Don’t worry, I’ll put this all together in a moment.

Access Control Using Policy

Now that your application can protect data, how do you manage who can access that data, when and under what conditions? The SDK allows you to create data protection keys and assign attributes to those keys. These attributes are programmer-defined and can be associated with policy rules residing on the Ionic platform. Those policies are centralized, so an Admin can update them, and my application doesn’t have to account for the changes. You’ve effectively separated policy from your application,

For example, you could define an attribute and value pair, sensitivity-level : confidential. That attribute-value pair acts as metadata that describes the encrypted data. You can read that attribute without decrypting the package, and you can introduce program logic to manage the payload without decrypting the actual data. This means you don’t have to embed policy decisions into your application.

First, I’ll assign an attribute-value pair to a string variable:

 mutable_attributes=”sensitivity-level, confidential” 

Notice that I’ve named this variable, mutable_attributes. Mutable attributes are attributes with values that can be updated. For example, we could increase the sensitivity-level to “highly restricted.” The Ionic platform also supports fixed attributes, which are immutable. A timestamp for the key,  my_shiny_key, for example, does not change. This is established upon key creation.

Now, let’s create a new key and attach the attributes defined earlier.

 my_shiny_key = agent.createkey(attributes=none, mutableAttributes=mutable_attributes) 

I haven’t assigned a fixed attribute because the timestamp for createkey()  is already tracked.

Now, within Ionic, policy rules defined by your organization will know how, when, and under what conditions data protected by this key can be accessed. When an application attempts to access data protected by this key, these policy rules will be evaluated, and a decision will be made to release or not.

Putting it Together

In order to focus on encryption and key management, I’ve glossed over device registration, profile management, and authentication. The SDK tutorials will walk you through these steps in any of the languages supported by the SDK Here, I’ll just show snippets of Python code.

This example creates a key, fetches the key from the key server, and updates it. First, let’s define some key attributes.

# define fixed attributes
fixed_attributes = {"data-type": ["Finance"], "region": ["North America"]}

# define mutable attributes
mutable_attributes = {"classification": ["Restricted"], "designated_owner": ["[email protected]"]}

Now, we can create the key and attach the attributes. Note the SDK also passes error codes for failed attempts.

# create new key with fixed and mutable attributes
try:
   created_key = agent.createkey(attributes=fixed_attributes, 
                 mutableAttributes=mutable_attributes)
   except ionicsdk.exceptions.IonicException as e:
   print("Error creating a key: {0}".format(e.message))
   sys.exit(-2)

Machina returns a key ID along with the key and key attributes. You can access them like so:

# display new key
   print("\nNEW KEY:")
   print("KeyId        : " + created_key.id)
   print("KeyBytes     : " + binascii.hexlify(created_key.bytes))
   print("FixedAttrs   : " + json.dumps(created_key.attributes))

Now, we can fetch the key, update its attributes, and store the results back on the key server. The tutorial mentioned above walks you through each step.

Summary

Using the SDKs in Machina Tools makes it easy to introduce crypto into your applications without the need to change program logic. As a developer, you can control data access using a consistent policy framework, and you get full visibility into all attempts to access protected data. You can build secure apps with no background in cryptography, and you can do all of this with just a few lines of code.

Michael is the Director of Developer Experience at Ionic Security. You can reach him at [email protected]