Access control includes many different areas of security. We will get to know about object access, which includes not just users and groups of users but also machine-to-machine authorization and security at the network and storage levels as well as the services in the cloud. You will then learn about security as it applies to service models and more about the authentication process.
Accessing Cloud-Based Objects
A cloud object can be a file stored in a storage system, a virtual machine, a load balancer, or any other system running in the cloud. An object is an item that can be accessed and manipulated in the cloud.
Controlling who can access objects and what actions they are allowed to take is a critical component of maintaining proper security in the cloud. In this section, you will learn about the authorization and access to cloud-based objects
The Authorization Process
When a user logs into a cloud-based management system, the first step is to identify who that individual is, which is defined as the authentication process. Once the user has been identified or authenticated as it is commonly called, you can move to the second step of granting them a list of authorizations that define what services and objects they are allowed to access and what they are allowed to do. Authorization extends beyond users to services such as servers being granted access to a storage array or an application being authorized to read and write to a SQL database. By defining granular rules in the authorization process, effective security policies can be implemented in your cloud deployment.
Many cloud providers allow an online assessment of your authentication and authorization configurations. An automated script can be run that compares your configuration to industry best practices and generates a report that can be used to align your configurations with the recommendations.
User Accounts
User accounts are created for each and every user who needs to gain access to the cloud objects and resources. A user account is usually associated with an individual person but could be expanded to include other objects such as servers or applications that need to authenticate with the system. The preferred practice to authorize users is to place them into groups, as we will discuss in the next section. However, depending on your needs and requirements, object rights can be assigned directly to each user in most cloud management systems.
Once the user is created, the administrator can assign rights and grant access to the user object, which will define the authorizations granted to the user.
User Groups
User groups are containers that rights are assigned to. They make management more effective and streamlined than managing a large number of individual user accounts. The trick is to create a group for each use case that is needed. For example, groups can be created for the following: server, database, network, and storage administrators. Once the groups have been created, rights for the group that are required to access and manage objects are assigned to the group.
Users who need authorization to access or manage systems in the cloud can then be placed into the appropriate group for that function. You manage the group and add or remove users to that group as required.
Compute System Access Control
Authorization can be granted for your computing systems in the cloud, meaning the virtual machines or applications running on the VM. Each virtual machine can have defined security access that outlines who or what is authorized to access it, which can include users or other computers and applications. Many cloud providers offer security groups and allow or deny access to the compute system and can be very granular by allowing access to be defined down to the application level. Groups, users, and objects can be defined for different levels of authorization to access the systems.
Network-Based Access Control
Network-based access control enforces who can connect at the network layer instead of the server or application level. Services such as requiring a login to gain access to the network and access control lists that are security policies that either allow or deny an IP address range or port number are common examples of network-based access control.
It is a common cloud security practice to use a layered security approach that implements security at all levels including the network for a broad definition of access and then define authorization policies at the server, storage, and application layers in a more granular fashion for a complete security implementation.
Conclusion
Security and encryption technologies can be complex topics. We suggest reading this chapter several times until the concepts are clear. The topic of security is prominent in the cloud community, and CompTIA has a strong emphasis on security on the exam. It is important to understand security, encryption, authentication, and authorization.
