Machina gives you the ability to enforce powerful data access policy with just a few lines of code, providing a consistent, seamless way to assure the ongoing security of data underlying your applications. This FAQ will provide best practice advice for using Machina data protection keys and policy controls inside Google Cloud Platform (GCP) via the Google Cloud External Key Manager (EKM) integration.
Is GCP External Key Manager regionally available? Where are GCP Key Management Service (KMS) Located?
Please refer to https://cloud.google.com/kms/docs/locations for current Google Cloud KMS locations. Note that this information is subject to change, so please review periodically.
Where are the Machina instances located that drive Policy controls and encryption around GCP External Key Manager?
The connector portion of the integration is a stateless web service with multiple service replicas running behind a highly available load balancer in the GCP us-west1 region. As we move into full production, we expect to expand into more regions.
What is the expected reliability associated with Ionic Security’s Machina instances?
Currently, the Ionic Security integration offers a 99.99% resiliency. Successful requests rely on the resilience of the connector, the Ionic web service, and the Ionic key service. All of these services are fully managed by Ionic and do not require any configuration by customers beyond the steps mentioned in Deploy Machina Tools for Google Cloud External Key Manager.
What is the customer facing Service Level Agreement(SLA) with respect to Ionic Security Machina uptime?
Machina offers 99.99% uptime.
How does Ionic Security guarantee that customer keys are not accidentally deleted?
Ionic Security has a zero-deletion policy with respect to keys. We know that this is your data and we want to insure that you have access to your data at any time whether you stay with Ionic Security or you decide to leave. Should you decide to leave Ionic Security as an External Key Management Partner solution, please contact Ionic Security Support for assistance in exporting your keys.
Does Ionic Security offer any training material or guidelines in getting started with building policies?
Absolutely! Please check out the Machina Developer Portal here:
How can I find Support for Machina?
- Via the Ionic Support Portal: https://support.ionic.com
- Via Email: email@example.com
- Phone Support is available by calling 1-844-GO-IONIC, press 0, then press 3.
Which GCP services support the Ionic and External Key Manager integration today?
Currently, the integration capabilities are supported by BigQuery (BQ) and Google Compute Engine(GCE).
Do I control the keys generated by Machina for the External Key Manager solution?
Machina was designed so that the customer can completely control and store keys. Most customers choose to deploy with the key service being customer controlled (hosted by them or in a cloud service under their control) in order to obtain this control. However, if that is not desired, the Community Tenant and Managed Tenants are available where Machina hosts the keys.
What kind of analytics does Machina provide?
Machina Console provides analytics to give you granular visibility into data access and handling activity, application usage, and user and device management activity occurring across Machina enabled user devices. Analytics is intended for Customer Support specialists, System Analysts, Policy Auditors, and IT professionals to monitor site access through the Ionic platform. Analytics includes a variety of details ranging from access region, IP address, key request activity, key approve/deny activity and granular audit trail around specific attributes and more. For more details, please review the Machina Console Admin User Guide.
Does Machina store the encrypted data?
No. Machina orchestrates the management of encryption keys, but it never stores application data. The data may continue to flow via normal paths.
Is there a limit to the number of keys I can create in Machina?
Machina supports key management at extremely large scales. Each Machina keyspace can support up to one trillion keys, and customer tenants may have multiple keyspaces to scale even larger. There may be limits applied to free accounts in the Community Instance.
How are attributes cryptographically bound to a key?
Machina's architecture ensures the integrity attributes end-to-end. For example, on a key creation, Machina's SDKs authenticate attributes set using a SHA-256 of the attributes included in AES-GCM authenticated encryption under the key shared by the endpoint and the Key Service. Once the attributes arrive safely and intact at the Key Service, they are stored under AES-256-GCM encryption and are protected by the data key in memory and storage. When a key is retrieved, they are again transported under an authenticated cipher.
How can I tell who used my keys?
Machina keeps granular information which is available via our data delivery API. A subset of this information is also displayed in the Machina console in the Analytics tab.
How much network overhead does Machina add to an application?
Machina SDK sends encrypted 'envelopes' of data over TLS to the Machina API Service to create and fetch keys, along with other device API tasks. Machina minimizes the network overhead needed in two major ways. First, symmetric encryption is used to minimize the bytes needed for the ciphertext. Second, Machina supports bulk requests which can be used to do several operations at once for applications that need to make multiple requests. Network overhead for a key create or request varies based on the amount of metadata sent, but a typical request is about 600 bytes.
How much of a delay does Machina introduce to my application when it tries to access data?
An encryption solution introduces two types of delay: key management and encryption. Machina's cryptographic libraries are implemented to minimize delay from encrypting the data. Modern computers (including small embedded devices and mobile devices) handle AES encryption very quickly. Machina's platform is also highly optimized for quick key transactions. Although the exact time depends on the network latency from the endpoint to the API Service and from the Key Service to the API Service, transactions happen in the low hundreds of milliseconds. Contact Ionic for further details.
What principles are being employed to achieve the 99.99% reliability?
Ionic utilizes clustered systems in multiple availability zones per region for fault tolerance. In addition, data is replicated to redundant systems in a different geographic regions allowing for continuous availability of the system. In the event of a full DR scenario, DNS records are changed to the redundant region.
How does the Ionic handle peaks in demand/throughput
Ionic uses both internal and external performance monitoring. If additional resources are needed, additional hosts can be added.
For multi-instance customers, how does the External Key Manager provide instance isolation? How do you prevent one instance from affecting other instances?
Machina instances are logically isolated and each instance is monitored for any performance issues.
How does Ionic Mitigate DOS and DDOS attacks?
Ionic Security monitors traffic via third-party vendor(s). If required, we can block/restrict IP addresses accordingly.
What are your Service Level Objectives? How do you monitor SLO?
Ionic Security maintains a 99.99% Service Level Objective. We have external and internal availability time checks in place. Some of the tools utilized to monitor are: CheckMk and Uptrends.
What is the External Key Manager internal service level objective for the API offered to GCP?
Machina offers a 99.99% internal Service Level Objective.