Any online seller has one objective - To become the best-seller and the fast-seller in their sectors.
They can only achieve it through consistent and reliable delivery of quality products. But often fault lines in infrastructure, commonly labeled as infra issues possess bottlenecks in their delivery, most of which can be addressed proactively.
When it comes to infrastructure issues, a reactive approach to solve these has been the norm. Although proactive measures can prevent most of it, but they get ignored since they are considered non-functional or operational activities.
To ensure IAM for compliance with secure and seamless access to modern infrastructure as a service(IaaS) it requires
Systems are protected, both logically and physically, against unauthorised access.
Easy to access and operate.
Easy to on-boarding and off-boarding on demand.
These can be accomplished through proper implementation of following “Identity and Access Management(IAM)” setup:
A one stop station for change management, tracking & tracing.
Centralised User Management.
Standard Access Control Policies and Permissions.
Identity and access control happens in two distinct stages:
Authentication
Authorisation
Step 1: Authentication
To authenticate into any system you need to validate your identity with the right credentials as shown in the table below:
Step 2: Authorisation
Once authenticated, the user needs to be authorised to access the systems they need to with the right permissions.
As your business grows, the number of identities will also increase as there will be more employees who would need to access internal systems. There can be a variety of identities that needs to be managed, such as internal users, external users, administrators, developers and so on.
I am not even starting with the no. of service accounts that will come up especially if you are implementing a zero trust policy which you must for security and compliance needs.
All these varieties of identity must be stored and managed somewhere in a centralised location with strict but easy authentication methods. This central storage is referred to as an “Identity Provider.” Let's find out more about it.
Centralised Identity Provider (IDP):
A centralised identity provider(IDP) is essential to validate and authenticate user access. With an IDP you can store your organisation's user identities in one central place which becomes the single source of truth for user identities.
One such IDP is G-Suite which is widely compatible with most cloud and SaaS providers. While on cloud, its recommended to configure IAM integration with G-Suite Gmail Ids. Most cloud providers and SaaS platforms offer G-Suite integration. There are others like O-auth or the good old Active Directory and LDAP. Choose the right IDP that suits your application and integrate as per your identity requirement.
Single Sign On (SSO):
The centralised IDP must be enabled with Single Sign On(SSO) for ease of access, onboarding and off -boarding. When you enable SSO, the end users need not enter the credentials each time they login to a different system. SSO lets a single identity authenticate to different systems through federated authentication.
For example, with G-Suite as your IDP, all end users can login to multiple apps using SSO. They need not remember different credentials for each side. So it's easy to onboard new users and also easy to off board as you just need to delete it from one central place.
Role Based Access Control (RBAC):
There must be well defined policies and permissions for role based access control(RBAC) of various infra resources through
Well-defined IAM Roles for cloud console, api and services.
Service accounts with access to console API are protected
Mapping of IAM Role to Email Groups.
Here is an example RBAC policy for IAM on AWS:
Password Policy:
Strong Password Policy for IAM accounts must be enabled:
Access keys and password rotation.
All accounts are checked daily against MFA.
Multi-factor is enabled on all console accounts.
Console root/super admin account is subscribed on a group email address (preferably a long term group like Ops) to avoid loss of control.
Access to the core infra i.e network, systems and storage must be integrated with this centralised Identity Management setup, so there is a one stop station for authenticating and authorising access.
Some common misconfigurations that must be prevented:
Don’t use anonymous/generic credentials.
Reset all default system or software passwords and rotate them periodically at least every 45-90 days.
Do not transmit credentials in plain text.
Do not store credentials on machines or static files.
Do not share credentials like vpn profile, access tokens, root account.
Do not keep temporary credentials longer.
Do not communicate credentials through emails, chats etc.
To Summarise Identity Management(IAM) For Compliance Ready Modern Infrastructure:
Create Role Based Access Control policies for accessing applications, cloud accounts, api endpoints and management systems.
A strong password policy with multi factor authentication & periodic rotation is essential to mitigate security threats.
Likewise a strong secret management system for cross service communication with password less authentication will strengthen security of the software.
If you like this article, I am sure you will find the 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments