Identity Management

Centralised identity and access management with single sign on and role base access controlled policies and permissions.

PreviousStorage NextLogging

Last updated 2 years ago

Was this helpful?

Identity Management

Centralised identity and access management with single sign on and role base access controlled policies and permissions.

To access modern infrastructure as a service or cloud it requires “Identity Management” to ensure

Systems are protected, both logically and physically, against unauthorised access.
Easy of Access.
Ease of Onboarding and Offboarding Users.

These can be fulfilled through

On stop station for change management, tracking, tracing.
Centralised User Management.
Standard Access Control Policies and Permissions.

So far we have learnt about the 3 core factors Network, System and Storage which constitute the foundation of modern infrastructure. For secure and seamless access to this infrastructure you need:

Centralised Identity Provider (IDP)

A centralised identity provider(IDP) to validate and authenticate user access. One such IDP is Gsuite which is widely compatible with most cloud and SaaS providers. Check for IAM integration with Gsuite Gmail Ids.

With an IDP you can store your organisation's end user credentials in one central place which becomes the single source of truth for user identities.

Single Sign On (SSO)

The IDP must be enabled with Single Sign On(SSO) for ease of access, onboarding and off -boarding.

For example, with Gsuite as your IDP, all end users can login to multiple apps using SSO. They need not remember different credentials for each side. So its easy to onboard new users and also easy to off board as you just need to delete it from one central place.

Role Based Access Control (RBAC)

There must be well defined policies and permissions for Role Based Access Control(RBAC) of various infra resources.

Well defined IAM Roles for cloud console, api and services.
Service accounts with access to console API are protected
Mapping of IAM Role to Email Groups.

Here is an example RBAC policy for IAM on AWS:

Password Policy

Strong Password Policy for IAM accounts:

Access Keys and Password rotation.
All accounts are checked daily against MFA.
Multi factor is enabled on all console accounts.
Console root/super admin account is subscribed on a group email address (preferably a long term group like Ops) to avoid loss of control.

Access to the core infra i.e network, systems and storage must be integrated with this centralised Identity Management setup, so there is a one stop station for authenticating and authorising access.

Common misconfigurations to prevent:

Don’t use anonymous/generic credentials.
Reset all default system or software passwords.
Do not transmit credential in plain text.
Do not store credentials on machines or static files.
Do not share credentials like vpn profile, access tokens, root account.
Do not keep temporary credentials longer.
Do not communicate credential through emails, chats etc.

Summary

Centralised Identity Provider and secrets management.
SSO for ease of access, onboarding and off -boarding.
Logically segregated Role Based Access Controlled authorisation for systems.
Well defined policies and permissions for each role.

PreviousStorage NextLogging

Last updated 2 years ago

Was this helpful?

To access modern infrastructure as a service or cloud it requires “Identity Management” to ensure

Systems are protected, both logically and physically, against unauthorised access.
Easy of Access.
Ease of Onboarding and Offboarding Users.

These can be fulfilled through

On stop station for change management, tracking, tracing.
Centralised User Management.
Standard Access Control Policies and Permissions.

So far we have learnt about the 3 core factors Network, System and Storage which constitute the foundation of modern infrastructure. For secure and seamless access to this infrastructure you need:

Centralised Identity Provider (IDP)

With an IDP you can store your organisation's end user credentials in one central place which becomes the single source of truth for user identities.

Single Sign On (SSO)

The IDP must be enabled with Single Sign On(SSO) for ease of access, onboarding and off -boarding.

Role Based Access Control (RBAC)

There must be well defined policies and permissions for Role Based Access Control(RBAC) of various infra resources.

Well defined IAM Roles for cloud console, api and services.
Service accounts with access to console API are protected
Mapping of IAM Role to Email Groups.

Here is an example RBAC policy for IAM on AWS:

Password Policy

Strong Password Policy for IAM accounts:

Access Keys and Password rotation.
All accounts are checked daily against MFA.
Multi factor is enabled on all console accounts.
Console root/super admin account is subscribed on a group email address (preferably a long term group like Ops) to avoid loss of control.

Access to the core infra i.e network, systems and storage must be integrated with this centralised Identity Management setup, so there is a one stop station for authenticating and authorising access.

Common misconfigurations to prevent:

Don’t use anonymous/generic credentials.
Reset all default system or software passwords.
Do not transmit credential in plain text.
Do not store credentials on machines or static files.
Do not share credentials like vpn profile, access tokens, root account.
Do not keep temporary credentials longer.
Do not communicate credential through emails, chats etc.

Summary

Centralised Identity Provider and secrets management.
SSO for ease of access, onboarding and off -boarding.
Logically segregated Role Based Access Controlled authorisation for systems.
Well defined policies and permissions for each role.