Creating Policies
This section describes steps to create policies using the CTE API. CTE supports Standard, LDT, COS, and IDT policies. Different types of policies can have different types of security and key rule requirements, as described in the sections below. Also, key uses can be different based on the types of policies they are used with. Refer to Creating Keys for details.
Click the following tabs for policy-specific details, requirements, and samples.
Creating Standard Policies
A STANDARD policy should contain security rules and/or key rules. At least one of these rules must be added to the standard policy.
The security rules define the access permissions based on the policy elements (user sets, resource set, and process sets). The key rules define what key is used for encryption and decryption of data.
In the following sample, in the security rule:
-
All users in the user set "Sample_User_Set1" have read/write access on the processes in the process set "Sample_Process_Set1" and resources in the resource set "Sample_Resource_Set1".
-
When a user of "Sample_User_Set1" performs any operation, the policy with the key "Sample_StandardPolicyKey" is applied.
API
/v1/transparent-encryption/policies/
Sample
{
"never_deny": false,
"security_rules": [
{
"process_set_id": "Sample_Process_Set1",
"resource_set_id": "Sample_Resource_Set1",
"user_set_id": "Sample_User_Set1",
"exclude_user_set": false,
"exclude_resource_set": false,
"exclude_process_set": false,
"partial_match": true,
"action": "read,write",
"effect": "permit,audit,applykey"
},
{
"process_set_id": "",
"resource_set_id": "",
"user_set_id": "",
"exclude_user_set": false,
"exclude_resource_set": false,
"exclude_process_set": false,
"partial_match": true,
"action": "all_ops",
"effect": "deny,audit"
}
],
"policy_type": "Standard",
"key_rules": [
{
"key_id": "Sample_StandardPolicyKey"
}
],
"name": "Sample_Standard_Policy",
"description": "This is a sample for a Standard policy."
}
Creating LDT Policies
An LDT policy should contain at least one non-exclusion key rule. The security rules define the access permissions based on the policy elements (user sets, resource set, and process sets).
An LDT policy has two sets of keys, one is the current key and the other is transformation key.
-
Current key: The key with which the data is encrypted before any transformation. If the data is in plaintext, then the current key should be set as "clear_key".
-
Transformation key: The key with which the data is to be encrypted. This key must be VERSIONED so that multiple key versions can be created as and when required.
In the following sample, in the security rule:
-
All users in the user set "Sample_User_Set1" have "all_ops" access on the processes in the process set "Sample_Process_Set1" and resources in the resource set "Sample_Resource_Set1".
-
The key rule indicates that the data on which encryption will be performed is plaintext (the current key as "clear_key"). The data will be encrypted with the transformation key "Sample_LDTPolicyKey".
API
/v1/transparent-encryption/policies/
Sample
{
"never_deny": false,
"security_rules": [
{
"action": "key_op",
"effect": "permit,applykey",
"type": "default"
},
{
"process_set_id": "Sample_Process_Set1",
"resource_set_id": "Sample_Resource_Set1",
"user_set_id": "Sample_User_Set1",
"exclude_user_set": false,
"exclude_resource_set": false,
"exclude_process_set": false,
"partial_match": true,
"action": "all_ops",
"effect": "permit,audit,applykey"
}
],
"policy_type": "LDT",
"ldt_key_rules": [
{
"is_exclusion_rule": false,
"current_key": {
"key_id": "clear_key"
},
"transformation_key": {
"key_id": "Sample_LDTPolicyKey"
}
}
],
"name": "Sample_LDT_Policy",
"description": "This is a sample for an LDT policy."
}
Creating COS Policies
A COS policy should contain security rules and/or key rules. At least one of these rules must be added to the COS policy.
The security rules define the access permissions based on the policy elements (user sets, resource set, and process sets). The key rules define what key is used for encryption and decryption of data.
Note
COS policies support the "CBC_CS1" keys only.
In the following sample, in the security rule:
-
All users in the user set "Sample_User_Set1" have read/write access on the processes in the process set "Sample_Process_Set1" and resources in the resource set "Sample_Resource_Set1".
-
When a user of "Sample_User_Set1" performs any operation, the policy with the key "Sample_COSPolicyKey" is applied.
API
/v1/transparent-encryption/policies/
Sample
{
"never_deny": false,
"security_rules": [
{
"process_set_id": "Sample_Process_Set1",
"resource_set_id": "Sample_Resource_Set1",
"user_set_id": "Sample_User_Set1",
"exclude_user_set": false,
"exclude_resource_set": false,
"exclude_process_set": false,
"action": "all_ops",
"effect": "permit,audit,applykey"
}
],
"policy_type": "Cloud_Object_Storage",
"key_rules": [
{
"key_id": "Sample_COSPolicyKey"
}
],
"name": "Sample_COS_Policy",
"description": "This is a sample for a COS policy."
}
Creating IDT Policies
An IDT policy should contain security rules and/or key rules. At least one of these rules must be added to the standard policy.
The security rules define the access permissions based on the policy elements (user sets, resource set, and process sets). The key rules define what key is used for encryption and decryption of data.
Note
IDT policies support the "XTS" keys only.
In the following sample, in the security rule:
-
All users in the user set "Sample_User_Set1" have read/write access on the processes in the process set "Sample_Process_Set1" and resources in the resource set "Sample_Resource_Set1".
-
When a user of "Sample_User_Set1" performs any operation, the policy linked with the key "Sample_IDTPolicyKey" is applied.
API
/v1/transparent-encryption/policies/
Sample
{
"never_deny": false,
"security_rules": [
{
"process_set_id": "Sample_Process_Set1",
"resource_set_id": "Sample_Resource_Set1",
"user_set_id": "Sample_User_Set1",
"exclude_user_set": false,
"exclude_resource_set": false,
"exclude_process_set": false,
"partial_match": true,
"action": "all_ops",
"effect": "permit,audit,applykey"
}
],
"policy_type": "IDT",
"idt_key_rules": [
{
"current_key": "clear_key",
"transformation_key": "Sample_IDTPolicyKey"
}
],
"name": "Sample_IDT_Policy",
"description": "This is a sample for an IDT policy."
}