Machina Tools for Google Cloud External Key Manager Best Practices

Machina gives you the ability to enforce powerful data access policy with just a few lines of code, providing a consistent, seamless way to assure the ongoing security of data underlying your applications.  This article will provide best practice advice for using Machina data protection keys and policy controls inside Google Cloud Platform (GCP) via the Google Cloud External Key Manager (EKM) integration.

Performance & Reliability

Currently, the Ionic integration offers a 99.99% resiliency.  Successful requests rely on the resilience of the connector, the Ionic web service, and the Ionic key service. The services are fully managed by Ionic and do not require any configuration by customers beyond the steps mentioned in Deploy Machina for Google External Key Manager.

• The connector portion of the integration is a stateless web service with multiple service replicas running behind a highly available load balancer in the GCP us-west1 region.
•  The Ionic web service runs on managed cloud infrastructure with independent application layer replicas and clustered databases, all deployed across multiple regions and cloud providers. Machina is designed to handle the loss of an entire region or cloud provider and remain operational. Region and datacenter level problems are mitigated by steering traffic via the DNS record for api.ionic.com, which has a TTL of 120 ms.
• The key service tier runs separately from the web tier. Like the web tier, this tier is configured with independent application layer replicas and clustered databases. Although Ionic-managed key servers are currently limited to a single region; they utilize multiple availability zones.

While other components of Machina are multi-region and redundant, our Google EKM integration is deployed to the us-west1 region only. Please use this integration with GCP Projects and KMS keys in the us-west1 region and avoid using Ionic-backed EKM keys with multi-region services until additional regions are supported. If this poses problems for your use case, please reach out to Ionic support to let us know.

Policy construction

The instructions in Deploy Machina for Google External Key Manager provides you with a starting set of policies for controlling access to the keys used to protect resources in GCP projects.

Additional policies can be authored to restrict access to certain keys, e.g. based on time of day, or to prevent access to a key after a given date. You can author these policies and scope them to individual Ionic keys, but we recommend instead authoring policies that control data use based on key attributes, adding these attributes to Ionic Machina keys as they are created.

Attributes on Ionic Machina keys

In this integration each Ionic Machina key is mapped to a single GCP KMS CKV.  To ease management, we recommend adding a common set of attributes to all Ionic Machina keys which will be used for CKVs of the same CK.

Additional attributes can be added to the individual Ionic Machina keys mapped to each CKV to allow different versions of a key to be managed differently via Ionic Machina policy.

Key Granularity

Ionic Machina data key attributes make it simple to enforce different access controls for data protected with different keys.  If your needs require more granular and varied controls, we recommend creating more GCP KMS CKVs mapped to different Ionic Machina keys.