OCCRP migrates from GKE to Constellation for end-to-end confidentiality

The Organized Crime and Corruption Reporting Project (OCCRP) is an international NGO composed of investigative journalists, media organizations, and activists who work together to expose organized crime and corruption around the world.

Fighting against corrupt banks, law firms, registration agents, and lobbyists that they call the "criminal services industry", OCCRP works in regions including South America, Eastern EU, Polynesia, and Africa. As an organization, OCCRP has been responsible for some of the most impactful investigations of the past decades, such as the Panama Papers and the Credit Suisse leaks.

To accomplish its challenging goals, OCCRP leans not only on the work of its journalistic network and partners like the BBC and The Guardian but also on sophisticated technical tooling. OCCRP's project Aleph provides a "global archive of research material for investigative reporting" and the OCCRP hosts many terabytes of sensitive, confidential data from sources, whistleblowers, investigations, and archives.

While for many companies, a data breach or a loss of sensitive information could cost a fortune, for the activists and journalists working with OCCRP, even the smallest data leak could severely impact their lives. Therefore, engineers at OCCRP invest significant effort to keep the journalists and activists connected to this information safe.

Challenge

Initially, the material resided on a GKE cluster. However, conscious of how sensitive the data they handled was, security engineers at OCCRP needed a better solution. This solution would need to keep the data encrypted in all states, isolate clusters from the underlying infrastructure in case of a compromise, as well as ensure and proof that the cloud provider or malicious entities never get access.

With their existing setup, OCCRP experienced three main issues:

Cumbersome and patchy encryption

- While GCP does offer encryption for storage, the encryption is handled in the backend and managed by Google. OCCRP would need to rely implicitly on GCP's encryption, which was not a strong enough guarantee.

- During the time that OCCRP used GKE, they manually encrypted all volumes and disks inside the cluster and took care of handling the keys for these volumes. If they wanted to move data between environments (for example, on-prem to cloud, or between clusters), everything had to be done manually: the keys moved over, the encrypted volumes mounted, etc.
Lack of isolation against cloud infrastructure

- With Google Kubernetes Engine, the control plane is managed by GCP admins and OCCRP's cloud deployment could not be fully isolated from the infrastructure.

- Access to the control plane also enables full control over worker nodes via kubelet. This would even hold true if the worker nodes run on confidential virtual machines (CVMs).
Limited attestation

- GKE does not provide a way to attest that the entire cluster consists only of confidential nodes and that this state is enforced during the lifetime of that cluster.

- If OCCRP would have decided not to use GKE and instead implemented vanilla Kubernetes on GCP, they would have needed to manually set up a cluster with Confidential VMs, bootstrap the Kubernetes, maintain that cluster manually, and verify every node individually using remote attestation. A daunting task.

Before migrating to Constellation, OCCRP engineers were willing to take on the heavy lift to secure their Kubernetes installation, but the process was intensive and time consuming. With Constellation, this would no longer be necessary.

Solution

Understanding the overhead that their security needs put on them, OCCRP engineers sought out a dedicated solution. This search led them directly to Constellation and to the uplifting discovery that it fulfilled all their technical requirements.

OCCRP engineers used the open-source version of Constellation to quickly spin up a Kubernetes environment on GCP.

Because they were able to use their existing infrastructure provider and due to how seamlessly Constellation integrated with the GCP offerings, the migration of their sensitive data came with minimal downtime or disruption for users.

Once they were set up with Constellation, OCCRP engineers immediately experienced three concrete benefits:

Ease of use and always-on encryption

- With Constellation, OCCRP easily manages encryption at rest and key management.

- The platform automatically encrypts volumes within the cluster, replacing and automating the process that OCCRP had to do manually with GKE.

- When requesting storage through the Kubernetes Container Storage Interface (CSI), Constellation provides workloads with pre-encrypted volumes, taking care of the key management. OCCRP only needs to deploy their applications, and the rest is automatic.

- Data can still be decrypted and utilized in other environments, such as on-prem or different clusters, using the same "master-key" and the key derivation functions for the relevant volumes.
Isolation against cloud infrastructure

- With Constellation, the CSP (GCP in this case) can be taken out of the loop. In contrast to GKE, Constellation’s control plane is also isolated and protected as part of the confidential cluster.

- Constellation prevents any entity with access to the underlying infrastructure either directly or by compromise, for example a cloud admin, from accessing the cluster and the data contained inside.

- Network traffic is also shielded. Constellation transparently encrypts network connections between nodes, so the infrastructure and GCP don’t need to be trusted to protect the wire.
All these security benefits are verifiable

- Constellation enables OCCRP to verify the confidentiality and integrity of the entire cluster, as well as the deployed workloads and processed data/storage. This functionality is provided with a user-friendly interface that integrates seamlessly with Day-2 operations. As a result, OCCRP can securely upgrade, backup, and migrate their clusters with ease.

- Constellation offers a comprehensive supply chain security model that includes the distribution of signed and reproducible attestation evidence and all components of Constellation. This ensures that any compromise in the supply chain, even within Edgeless Systems, could be detected and verified down to the source code changes.

- This functionality is crucial for OCCRP, as they deal with sensitive information and highly vulnerable individuals such as whistleblowers. The level of trust provided by this security model is essential in mitigating the risks associated with their work.

Thus, after the migration, not only was the data now secure but Constellation’s auto-updating and autoscaling features ensured that no matter the amount of new data added, Constellation would continue making it virtually impossible for hackers or other malicious actors to access it.

Result

After six months of using Constellation on GCP, OCCRP can deem the migration a success. No unauthorized data was accessed or hacked and OCCRP engineers continued to use the cloud provider they were accustomed to.

Constellation’s ease of use meant that developers at OCCRP could continue focusing on the other technical tools that augment their journalists’ work, and the organization could rest assured that the most valuable information, what they fight so hard to protect, remains safe for use by international journalists now and into the future.

“

Constellation provides us with the tools we need to meet the organization's goals around reducing risk of harm to our journalists. We have been running Constellation in production for several months now and are still impressed by its ease of use. Our only regret was not finding it earlier.

Amran Anjum, Head of Infrastructure at OCCRP

OCCRP migrates from GKE to Constellation for end-to-end confidentiality

Challenge

Solution

Result

Download the full case study