Cloud Hosting

With an exponential increase in data being generated, stored and shared online, the issue of data security no longer belongs to IT alone. Software and application developers have been put on notice along with business owners and legal teams worldwide to not only maintain data privacy but to build more secure products. Theres no easy solution. However, there are resources readily available for devs to build security into the fabric of their products. One is called OpenTDF, an open source project that lets you integrate encryption and data policy controls into your new and existing apps to safeguard your data, and the sharing of it, for you as well as your users.

TDF, the trusted data format, was originally developed by the United States National Security Agency (NSA). Its an open standard for object-level encryption that keeps data protected and under the data owners control, wherever its created or shared. TDF includes cryptographically secured metadata that ensures consistent policy control throughout the data life cycle. Picture this: You can grant, revoke or turn off data access at any time, even if the data has left your network or application.

OpenTDF is an open source project that evolves the open TDF specification and provides a blueprint for getting started. There are a multitude of example applications that demonstrate the implementation logic, as well as streaming video and IoT use cases.

The OpenTDF project is based on Kubernetes and OCI containers, and there is a quick start guide to get you up and running with a development environment. The quick start process will install supplemental services like Keycloak as well as project-specific services like key access service (KAS) and Abacus (an ABAC front end for configuration and management of attribute-based access control). Once youve completed a quick start installation, youll have a basic OpenTDF cluster with a Keycloak identity provider, PostgreSQL data store and a single entry point at localhost with an Nginx ingress controller.

Theres an architectural diagram available on GitHub to see all of the services and service interactions.

Several SDKs are available for building on the OpenTDF framework, including JavaScript, Python, C++and Java. The client SDKs generally include basic examples for identity auth and creating a TDF-protected encrypted object.

Have you ever wondered how to make data access secure and simple? Using OpenTDF, developers can create that experience for their users. Lets walk through a sample web application that uses OpenTDF to encrypt and upload data to cloud storage.

The application well be using is called OpenTDF Secure Remote Storage. Its a react-based example that shows developers how to create encrypted data streams. These streams allow you to upload and download files from S3-compatible remote data stores while maintaining data protection. You can even remove encryption if needed.

To make things easy, well be using OpenTDFs client-web SDK, which authenticates against Keycloak using OpenID Connect (OIDC). Keep in mind that this example runs on your local machine. Its not designed for cloud or enterprise services.

Prerequisites: Youll need an S3-compatible storage object, like an Amazon S3 bucket. (You can create one for free here.)

First, install two CLI tools: Kind and Tilt. These will be used to deploy the OpenTDF services to your local machine. If youre on macOS, you can install them with a simple Homebrew command: brew install kind tilt.

Next, you will need the sample code on your local machine. You can either download the zip or clone the OpenTDF GitHub Repository using the following command: git clone git@github.com:opentdf/opentdf.git. This will create a directory called opentdf in your current location.

Now, navigate to the root directory of the sample application: cd opentdf/examples/secure-remote-storage. To deploy OpenTDF, youll need a local Kubernetes cluster. Use the Kind CLI to create one: kind create cluster --name opentdf.

Finally, start the application using Tilt: tilt up. This will launch the necessary OpenTDF services.

1. To begin, go to http://localhost:65432/secure-remote-storagein your web browser. This is where the Secure Remote Storage webpage is hosted.

2. Now, its time to log in. Use the following credentials (defined in the bootstraps config file): Username: user1 Password: testuser123

3. Then, choose a file from your computer to upload. It can be anything a text file, a PDF, or an image. Let your creativity flow! If you dont have a file handy, no worries. You can download an image by right-clicking on it and selecting Save As from this link.

4. Next, tell the application where to store your encrypted file. Provide the necessary JSON object that defines your S3-compatible object store. You can refer to the prerequisites for more details. (Optionally, you can save the configuration for future uploads. Just give it a name and click Save. This way, you wont need to define the object store again in the future.)

5. Now, its time to encrypt and upload. Click the encrypt and upload button, and watch the magic happen!

Whats happening behind the scenes? When you click encrypt and upload, the application uses the OpenTDF API to convert your selected file into a .tdf file. It applies AES-GCM encryption and attaches access controls to ensure that only authorized users, like you (in this case, testuser123), can access the data. Even if your data store is public, your data remains secure.

6. Ready to view and download your uploaded file? The table on the webpage lists all the files youve successfully uploaded. Each file has a download button next to it. Click that button, and the hosted file will be downloaded and decrypted on your local file system.

Excited to explore more? Now that youve seen OpenTDF in action, you can dive into the source code of this application. Use this sample application as a starting point to integrate OpenTDF into your own secure applications.

From a secure webcam app to a privacy-forward menstrual tracking app and more, the possibilities are endless with OpenTDF and the future is in developers hands. By building on OpenTDF, the valuable data flowing through your applications will be protected forever.

Learn more about OpenTDF at openTDF.io, and get the full quick-start guide, including more detailed instructions and other sample apps at the OpenTDF GitHub.

Cassandra Zimmerman, technical product manager at Virtru, contributed to this article.

Read the original:
Implement Object-Level Encryption and Policy With OpenTDF - DevOps.com