DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • Introduction To Git
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  • Tomorrow’s Cloud Today: Unpacking the Future of Cloud Computing
  • How To Integrate Microsoft Team With Cypress Cloud

Trending

  • Introduction To Git
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  • Tomorrow’s Cloud Today: Unpacking the Future of Cloud Computing
  • How To Integrate Microsoft Team With Cypress Cloud
  1. DZone
  2. Data Engineering
  3. Data
  4. The Simple Path to Protecting and Controlling Your Application Data

The Simple Path to Protecting and Controlling Your Application Data

See how to use Ionic Machina to control and protect your application data.

Michael Floyd user avatar by
Michael Floyd
·
Oct. 15, 19 · Tutorial
Like (6)
Save
Tweet
Share
3.03K Views

Join the DZone community and get the full member experience.

Join For Free

white-locks-on-red-fence


Whether you’re a software development team lead at a prestigious financial institution assigned to redact personally identifiable information (PII) before releasing the next bankruptcy report, or you're part of a development shop that has just been contracted by a large healthcare organization to help update their systems to meet HIPAA requirements, chances are you’ve been asked to obfuscate sensitive data.

Protecting sensitive data is not an uncommon requirement when building applications. In a recent survey, 71% of companies indicated they utilized encryption for some of their data in transit; 53% utilized encryption for some of their data in storage.

If you’re one of these developers, you’re looking at cryptolibraries to solve the problem. There are a lot of cryptolibraries out there, so what differentiates Machina Tools?

  1. Key management: Well-known cryptographer, Bruce Schneier, wrote “The security of an algorithm rests in the key. If you’re using a cryptographically weak process to generate keys, then your entire system is weak.” As the team’s lead, you don’t want to invest resources in building your own KMS, especially when that could become the weak link in securing sensitive data.

  2. Policy to control access: The SDKs in Machina Tools enable developers to control access using a consistent policy framework. Describe your data using key attributes, and your data is protected throughout its lifecycle. Ionic Machina allows you to control access in real-time using a consistent policy framework.

You may also like: Data Privacy Through Shuffling and Masking – Part 1.

How Does it Work?

Using the SDKs in Machina Tools, you can generate a key, encrypt and protect your data, and return the results to your application using a single call, like so:

 cipher = ionicsdk.ChunkCipherAuto(agent) 

Here, ChunkCipherAuto() calls an instance of our Agent class, handles the key creation and key fetch, and encrypts the payload using standard AES-256 encryption.

Getting Started With the SDKs in Machina Tools

Before moving on, let’s test that. Getting started with the SDKs in Machina Tools is equally easy. Simply,

Project creation workflow

Congratulations, you’ve just encrypted and decrypted your first string. In this case, we didn’t even need to create a key. The SDK manages the entire process for us.

Working With Data Protection Keys

Quick encrypt/decrypt is great when you need to encrypt data like a file, string, or an object. But, what if you wanted to set the encryption algorithm, or encrypt parts of a record in a CSV file or a field in a database record?

The strategy here is to create encryption keys to protect each data set (like a column) or even individual pieces of data. With a key management system at your disposal, you can create as many keys as you want. As you’ll see in a moment, you can describe the specific data you are protecting using “key attributes.” Then, create policy rules to allow access based on attribute values.

First, let’s create a simple encryption key. Again, the SDKs in Machina Tools allows you to do this in your language of choice. For example, in Python you can create a new data-protection key by invoking a createkey() method like so:

 my_shiny_key = agent.createkey() 

You can also generate multiple keys and dole them out as needed.

 my_list_of_keys = agent.createkeys() 

Don’t worry, I’ll put this all together in a moment.

Access Control Using Policy

Now that your application can protect data, how do you manage who can access that data, when and under what conditions? The SDK allows you to create data protection keys and assign attributes to those keys. These attributes are programmer-defined and can be associated with policy rules residing on the Ionic platform. Those policies are centralized, so an Admin can update them, and my application doesn’t have to account for the changes. You’ve effectively separated policy from your application,

For example, you could define an attribute and value pair, sensitivity-level : confidential. That attribute-value pair acts as metadata that describes the encrypted data. You can read that attribute without decrypting the package, and you can introduce program logic to manage the payload without decrypting the actual data. This means you don’t have to embed policy decisions into your application.

First, I’ll assign an attribute-value pair to a string variable:

 mutable_attributes=”sensitivity-level, confidential” 

Notice that I’ve named this variable, mutable_attributes. Mutable attributes are attributes with values that can be updated. For example, we could increase the sensitivity-level to “highly restricted.” The Ionic platform also supports fixed attributes, which are immutable. A timestamp for the key,  my_shiny_key, for example, does not change. This is established upon key creation.

Now, let’s create a new key and attach the attributes defined earlier.

 my_shiny_key = agent.createkey(attributes=none, mutableAttributes=mutable_attributes) 

I haven’t assigned a fixed attribute because the timestamp for createkey()  is already tracked.

Now, within Ionic, policy rules defined by your organization will know how, when, and under what conditions data protected by this key can be accessed. When an application attempts to access data protected by this key, these policy rules will be evaluated, and a decision will be made to release or not.

Putting it Together

In order to focus on encryption and key management, I’ve glossed over device registration, profile management, and authentication. The SDK tutorials will walk you through these steps in any of the languages supported by the SDK Here, I’ll just show snippets of Python code.

This example creates a key, fetches the key from the key server, and updates it. First, let’s define some key attributes.

# define fixed attributes
fixed_attributes = {"data-type": ["Finance"], "region": ["North America"]}

# define mutable attributes
mutable_attributes = {"classification": ["Restricted"], "designated_owner": ["joe@hq.example.com"]}


Now, we can create the key and attach the attributes. Note the SDK also passes error codes for failed attempts.

# create new key with fixed and mutable attributes

try:

created_key = agent.createkey(attributes=fixed_attributes, mutableAttributes=mutable_attributes)

except ionicsdk.exceptions.IonicException as e:

print("Error creating a key: {0}".format(e.message))
sys.exit(-2)


Machina returns a key ID along with the key and key attributes. You can access them like so:

# display new key

print("\nNEW KEY:")
print("KeyId        : " + created_key.id)
print("KeyBytes     : " + binascii.hexlify(created_key.bytes))
print("FixedAttrs   : " + json.dumps(created_key.attributes))


Now, we can fetch the key, update its attributes, and store the results back on the key server. The tutorial mentioned above walks you through each step.

Summary

Using the SDKs in Machina Tools makes it easy to introduce crypto into your applications without the need to change program logic. As a developer, you can control data access using a consistent policy framework, and you get full visibility into all attempts to access protected data. You can build secure apps with no background in cryptography, and you can do all of this with just a few lines of code.


Further Reading

  • Transparent Data Encryption for Databases.
  • Encryption, Part 2: Public Key/Private Key Encryption.
  • Homomorphic Encryption.
Data (computing) application Database Attribute (computing) Software development

Published at DZone with permission of Michael Floyd. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • Introduction To Git
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  • Tomorrow’s Cloud Today: Unpacking the Future of Cloud Computing
  • How To Integrate Microsoft Team With Cypress Cloud

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: