Machina gives you the ability to enforce powerful data access policy with just a few lines of code, providing a consistent, seamless way to assure the ongoing security of data underlying your applications. This article provides instructions for using Google EKM Justification attribute in the Machina console.
EKM Justification Attribute
Key justification attributes are sent from Google Key Management Systems through the Google EKM interface to Ionic’s Google EKM integration and then to Ionic Machina. The Ionic EKM integration and Ionic Machina process the justification attributes if they are present. You do not need to enable this functionality in Machina. When you write Machina data access policies, access to keys is determined based on the policies and the value (or absence) of the justification attributes.
To view the attribute, go to Machina Console -> Analytics -> Activity. In the Log, select the corresponding instance. Go the Environment Attributes at the bottom of the page.
The Google EKM Justification attribute comes into Ionic Machina as a name/value pair in the request metadata also known as the environment attribute. The attribute name is access-reason.ekm.cloud.google.com. Possible values are:
Ionic Machina Data Access Policies
Ionic Machina data access policies determine whether a key request should be allowed or denied based on the request context which includes the attributes on the key being requested, the metadata associated with the request, the entity making the request, and other factors.
Writing a data policy for Google EKM justification
To write a data policy for Google EKM justification:
- In the Machina Console, click on Data Policies.
- Click Create Data Policy, enter a name for the policy, and click Create.
- Click Enable Policy to activate the policy.
- Click Create Rule.
- Click Deny, then Advanced. Follow the next steps very carefully.
- Click in the Attribute field on the left and type “environment:access-reason.ekm.cloud.google.com” and press Enter.
- In the Attribute field, select “specific values” in the dropdown.
- A new field will appear to the right. In that field type the justification value(s) you would like to use. For example, type “CUSTOMER_INITIATED_SUPPORT” and hit enter. You can enter as many justification values as you would like in this field.
- After you have entered the values you want, click Create.
After the policy has been created, you can go back to the policy rule and add and remove justification values as desired.
Creating an Allow All policy
For demos, it is easiest to create an Ionic Policy named “Allow All” that will allow all key requests that are not explicitly denied by another policy.
To create an Allow All policy:
- Click on Data Policies on the Machina Console.
- Click Create Data Policy, enter a name for the policy (“Allow All”), and click Create.
- Click Enable Policy to activate the policy.
- Click Create Rule, then click Create without making any changes.
Demoing Google EKM Justification with Ionic Machina Policies
The most effective demos using the Machina Console show how to execute two requests for access
- The first request shows the data access being allowed. To implement this, disable the Justification policy.
- The second shows the data access being denied simply by changing the state of policy on the console. To implement this, enable the Justification policy.
Make sure that the requests from Google EKM contain the correct justification value to be denied by
After each request, the presenter can go to the Analytics / Activity page and show the actual key request, the environment context values that were a part of the request, and the policy evaluations that went into the policy decision (screenshot above). As a presenter, always keep in mind that there can be a delay of up to a minute in policies taking effect, and it can take a few seconds for the key request to appear in the key request log. To resolve this issue, refresh until the key request appears.
More on Machina Data Access Policies
Machina data access policies are almost like a programming language and can be constructed in many ways to fit almost any use case.
Considering the above scenario with an Allow All policy, you can set up the Justification policy in any of the following ways:
- Deny access if the justification attribute has a specific value (as detailed above).
- Deny access if the justification attribute does not have a specific value.
You can also set up a policy without the Allow All feature enabled.
- Allow access if the justification attribute has a specific value.
- Allow access if the justification attribute does not have a specific value.
Ionic Machina can also make decisions about many other factors such as the person or system making the request and attributes defined on the key when it was created.