Automate Your Cloud Storage Security with AWS and IBC S6 from Ionburst

By Simon Kuhn, Partner Solutions Architect – AWS
By Sophie Lanc, Chief Creative Technology Officer – Ionburst

Ionburst

Ionburst is an AWS Partner that was founded in 2018 on the underlying principle that data privacy is a human right. Its mission is to provide data privacy as part of the cloud, not only as a default posture but as the only posture.

In this post, we will show you how Ionburst Cloud’s private-by-default storage solution, called IBC S6 (Simple Secure Sovereign Scalable Storage Service), is helping customers take advantage of Amazon Simple Storage Service (Amazon S3) whilst reducing risk due to misconfiguration or malice.

This post has relevance to all customers who have no requirement for public buckets, either directly or via static websites. There’s a special focus on security-conscious developers, who may desire a consistent security posture across all buckets with no configuration overhead, or may not possess in-house Amazon Web Services (AWS) skills to confidently adopt S3 object storage.

Challenges

Security in the AWS Cloud is a shared endeavor between customers and AWS. The Shared Responsibility Model outlines the responsibility of AWS in securing the cloud, and just as importantly outlines the customers’ responsibility in securing their own workloads in the cloud.

Figure 1 – AWS Shared Responsibility Model.

In the context of storage, Amazon S3 has many parameters that can be configured to meet myriad use cases. Configuring S3 buckets securely for each use case falls within the customers’ responsibility in the Shared Responsibility Model.

Developers unfamiliar with AWS, or in heavily regulated sectors, who would ordinarily benefit from the flexibility, reliability, and availability of S3 object storage, can sometimes be hesitant to adopt S3 for their storage needs.

With the IBC S6 service, customers can take full advantage of S3’s reliability and availability, with full confidence their storage resources are fully private and secured using industry and AWS best practices while also preventing compliance drift over time.

Customers can also have full confidence their data will remain private and secure regardless of accidental misconfiguration or malicious intent, due to IBC S6 not supporting public bucket configurations.

What is IBC S6?

IBC S6 is a platform-as-a-service (PaaS) storage offering that provides an abstraction layer between the client and Amazon S3 that keeps your data protected, anonymized, and pseudonymized while in-transit and at rest.

Figure 2 – Ionburst Cloud bridges the security gap between data and the cloud.

IBC S6 was developed with the aim of providing private-by-default object storage. As such, it’s a fully managed secure cloud object store created to ensure data cannot be exposed publicly, or accessed by unauthorized and unauthenticated parties.

Intentionally built with a minimal feature set, IBC S6 provides automatic privacy, security, resilience, and sovereignty for each object stored. It achieves this by automatically encrypting and fragmenting each object to provide unique security, privacy, and resilience at the asset level. These redundant fragments are then distributed across multiple private, fully managed cloud stores on Amazon S3 to ensure on-demand data recovery.

IBC S6 assumes the security responsibility from customers for data encryption, key management, and infrastructure configuration. This ensures continuous data security compliance with predefined security policies and industry standard practices, preventing incidents of non-conformance.

Getting Started with IBC S6

IBC S6 is available directly through the Ionburst Cloud Platform and from AWS Marketplace, with a free tier available for each channel. In addition, IBC S6 listings on AWS Marketplace are available as both pay-as-you-go and monthly subscriptions.

As a developer-first service, IBC S6 uses an API-first approach, with a growing collection of client integrations, developer tools, and open-source SDKs; currently available for .NET, Node.js, Python, and Go.

IonFS CLI provides a selection of useful client-side features for customers storing objects on IBC S6—namely, large file and object chunking, client-side encryption, and customer-controlled metadata management.

Accessing Your Data

Parties are completely private containers that protect and store objects on IBC S6. A party is similar to an S3 bucket, with one main difference—they are always private-by-default.

Access is only available to users, or services using API credentials generated for a specific party. Neither objects nor API credentials can be shared between different parties.

Objects stored on IBC S6 are only accessible through an authenticated request by their owner. All fragments are unidentifiable, unattributable, and indecipherable to both Ionburst Cloud and AWS.

Protecting, Processing, and Encrypting Customer Data

Each object stored by IBC S6 is protected using a layered implementation of service, infrastructure, and data asset-level security and resilience approaches.

Each Ionburst Cloud region is geo-fenced and maps to its corresponding AWS region. This ensures the sovereignty and privacy compliance of all data. Once uploaded, data is never processed or stored outside the chosen region.

Each object protected by IBC S6 is encrypted with its own uniquely generated key. In addition, IBC S6 assumes the key management overhead for the data it protects in the cloud.

IBC S6 uses only industry standard, open source, authenticated (AEAD) cryptographic methods, to ensure the confidentiality and integrity of all data stored.

Fully Managed Secure Cloud Storage

The Ionburst Cloud Platform provides automatic security on fully managed infrastructure. Fully managed secure storage describes the additional responsibility IBC S6 assumes on behalf of every customer storing data in the cloud.

When using IBC S6, the Shared Responsibility Model looks as follows.

Figure 3 – Shared responsibility for security and compliance.

Basic Usage for IonFS CLI

• Listing classifications
• PUT – Uploading objects to IBC S6
• GET – Downloading objects from IBC S6
• DELETE – Deleting objects from IBC S6

Listing Classifications

Objects can be secured by IBC S6 according to available security policies. IonFS CLI can be used to query the classifications currently available to an Ionburst Cloud party.

To list available classifications, the following can be used:

ionfs policy

Example output:

[sophie@ionfs-example ~]$ ionfs policy
____ ___________
/ _/___ ____ / ____/ ___/
/ // __ \/ __ \/ /_ \__ \
_/ // /_/ / / / / __/ ___/ /
/___/\____/_/ /_/_/ /____/
Available Classifications:
2:Restricted

Protecting Data with PUT, GET, and DELETE

Most importantly, users can look at uploading (PUT), downloading (GET), and deleting objects from IBC S6 using IonFS CLI. In these examples, we’ll use a file called my-file.txt

echo "We may guard your data, but we'll never take its freedom" > my-file.txt

PUT

We can now upload our file to IBC S6:

ionfs put my-file.txt ion:// -c Restricted

Example output:

[sophie@ionfs-example ~]# ionfs put my-file.txt ion:// -c Restricted

[sophie@ionfs-example ~]# ionfs ls
____ ___________
/ _/___ ____ / ____/ ___/
/ // __ \/ __ \/ /_ \__ \
_/ // /_/ / / / / __/ ___/ /
/___/\____/_/ /_/_/ /____/ v0.3.0
Directory of ion://example/
my-file.txt 08/16/2022 12:49:04

GET

We can now retrieve our file:

ionfs get ion://my-file.txt my-file-get.txt

Example output:

[sophie@ionfs-example ~]# ionfs get ion://example/my-file.txt my-file.txt

[sophie@ionfs-example ~]# ionfs get ion://example/my-file.txt my-file-get.txt

[sophie@ionfs-example ~]# ls -lah my-file*
-rw-r--r--. 1 sophie sophie 57 Aug 16 12:50 my-file-get.txt
-rw-r--r--. 1 sophie sophie 57 Aug 16 12:49 my-file.txt

[sophie@ionfs-example ~]$ cat my-file-get.txt
We may guard your data, but we'll never take its freedom

DELETE

Finally, we can delete our file from IBC S6:

ionfs del ion://my-file.txt

Example output:

[sophie@ionfs-example ~]# ionfs del ion://my-file.txt

[sophie@ionfs-example ~]# ionfs ls
____ ___________
/ _/___ ____ / ____/ ___/
/ // __ \/ __ \/ /_ \__ \
_/ // /_/ / / / / __/ ___/ /
/___/\____/_/ /_/_/ /____/ v0.3.0
Directory of ion://example/
Remote directory is empty

Customer Success Story

Ionburst is proud to be part of the Storm Cloud Community, supporting the Royal Navy and British Defense to bring cutting-edge, cloud-based technology to the frontline.

Ionburst was one of the 20 teams that were accelerated into the Storm Cloud Community, which was made up of AWS Partners, VC startups, small medium enterprises, and defense primes with teams of all scale and size. IBC S6 was used in a successful defense proof-of-concept project involving AWS and the Royal Navy.

IBC S6 has also been successfully adopted by technology organizations serving the heavily regulated financial sector, like Birnam Wood which wanted to strengthen its cloud data security posture by placing its trust in IBC S6. This allowed Birnam Wood to protect its data from downtime, low trust networks, leaks, sophisticated cloud-based security events, and ransomware on AWS.

Conclusion

In this post, we have highlighted how customers can offset the responsibility of configuring and maintaining secure cloud storage on Amazon S3 by employing IBC S6.

We explored how IBC S6 integrates with S3, how customer data is secured, randomized, and anonymized, and explored the customer benefits of instant and guaranteed guardrails. We also provided some basic usage instructions using the IonFS CLI to highlight the ease of use of the service.

For additional information or guidance, you can get in touch with Ionburst or visit the Ionburst website.

.

.

Ionburst – AWS Partner Spotlight

Ionburst in an AWS Partner that was founded in 2018 on the underlying principle that data privacy is a human right. Its mission is to provide data privacy as part of the cloud, not only as a default posture but as the only posture.

Contact Ionburst | Partner Overview | AWS Marketplace