Hello and welcome to this, my first blog post. This topic is near and dear to my heart, from my personal experiences with data leakage from human error. Let’s dive into protecting application data using the Virtru SDK.
Many of our customers develop custom applications that store, receive, or share sensitive data, they have concerns that AWS and S3 are a possible large surface area of attack. The larger the application and the more teams involved, the more chances for errors to be introduced.
Many of our developer end users express concern about maintaining security and control of their data while working in a cloud environment. I recently worked with Sam, a full-stack developer at a web service company, to help secure their data throughout the data lifecycle.
Sam was tasked with gathering customer information in an online form, including what would be considered personally-identifying information (PII). He has control over the application and to some extent the environment in which the application runs.
Sam’s corporate business requirements included:
- Using server/services provisioned by the Corporate Hosting Team
- Using S3 for client application data managed by the Corporate Storage Team
- Standard development timeline (too short!)
Ensuring the security of his client’s data is now at the top of his list of personal requirements for the application.
Additionally, Sam noted the following personal requirements:
- Ensure customer data is secure
- Minimize integration headaches
- Make the approach repeatable
- Boto for the S3 integration
The Virtru SDK provides Sam the following benefits:
- SaaS Infrastructure — Completely managed
- Key Management — Completely managed
- Access Control — Simple policy interface to add and remove access
- Audit Logs — Access to all actions taken on secured files
- Easy Integration — Few lines of code to get it running
Upload and Encrypt
virtru_upload_file(local_file, bucket, s3_file, is_virtru_encrypt=True, virtru_owner=virtru_owner)
Download and Decrypt
virtru_download_file(bucket, s3_file, local_file, virtru_owner)
Sam or another designated administrator can manage Virtru encrypted files and policies in the future by storing attributes in their application database.
- Virtru Policy Id
Once these attributes are stored, Sam can:
- Revoke access to the policies; reverse that revocation if needed.
- View audit records associated with a file
- Add and remove users from the policy
- Add and remove auto-expiration from the policy
The Security Team reached out to Sam about a potential security incident. Some of the corporate S3 buckets were not configured correctly, which led to possible data exposure.
One of the exposed buckets contained the data from Sam’s application. Sam was able to revoke access to all files until the security team researched the incident and gave the ‘all clear’.
Because Sam was able to provide the security team with an audit log showing who tried to access the file and when; the security team was assured that there were no decrypt requests.