When it comes to security, your cloud vendor can’t handle it alone. You’ll need to secure yourself and your organization in the cloud. Usually, security configurations are an afterthought until some things happen.
The task of setting hundreds of people with the right security configurations sounds daunting. Luckily, cloud vendor provides you with a way to manage security efficiently with an identity and access management (IAM) system. In this post, I’ll give a brief overview of what an IAM system is and how to use it to manage many users.
What Is Identity and Access Management
An identity and access management system is a service provided by the cloud vendor for you to manage accounts in your organization. It enables you to set granular permissions for users. Password rules/rotation and multi-factor authentication are most likely a provided feature as well.
Apply the Concept of Least Privilege
The idea behind the least privilege is to provide the minimum access necessary for someone to complete their tasks. For example, someone in financial doesn’t need access to development-specific services. However, they would need access to billing and cost.
Manage Permissions as a Group
To make managing a large number of users easier, you can create a group and then put anyone who needs to be part of that group. The group can have predefined permissions associated to it and anyone in the group would inherit those permissions by default. How can this be utilized you might ask?
Let’s consider the example of someone in financial not needing access to development-specific services. They do need access to billing and cost. Some will need to read information while others need to read and update. It would be a real pain to set each person with the correct read and write permissions in this situation. An easy way would be to give each person in finance read and write permission, but now it violates the least privilege principle. You could be giving someone brand new the ability to modify data, which is probably not something you want to do.
To address this you can create two groups: finance with read permission and finance with read and write permission. Now instead of setting permission per person, you just put the person into one of the two groups. Managing permissions this way doesn’t seem like a big deal when there are a few users. However, when there are hundreds this way of managing permission really helps.
To summarize, security is both the cloud vendor and your responsibility. The cloud vendor is responsible for the security of their services and you’re responsible for the security of your applications in the cloud. To easily manage a large number of users you can utilize a group, give the group the necessary permissions, and then add individuals into the group. Always apply the least privilege principle whenever possible to avoid giving more access than someone needs for their tasks.
I hope this post was helpful to you. If you found this post helpful, share it with others so they can benefit too.
To get in touch, follow me on Twitter, leave a comment, or send me an email at steven@brightdevelopers.com.