Shulou(Shulou.com)06/01 Report--

This article is about how to build a zero-trust security architecture through IAM. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

With the advent of the era of the Internet of everything, facing the increasingly severe enterprise network security and complex (such as micro-services, container orchestration and cloud computing) development and production environment, enterprise IT is in urgent need of a new set of identity and access control management solutions.

In order to meet the needs of enterprises and better serve enterprise users, Qingyun QingCloud has launched IAM service, in which users can uniformly manage and control the authentication and authorization of access entities, and more securely manage and control any resource access rights under their accounts.

What is IAM?

IAM aims to unify the permission management standard of the cloud platform, and uses asymmetric encryption technology to create a temporary Token with a certain access validity to grant identity credentials to visitors without introducing Access Key. The user of identity can be any entity that supports obtaining credential Token, such as people, devices, applications.

When users need to give access to their own resources to others or applications, they can configure permissions and identity carriers of any granularity as needed, and there is no need to share access keys, so as to achieve omni-directional unified control of access entities, greatly reduce the risk of access key disclosure, and improve the security of customer information on the platform.

Functions and features of IAM

1. Unified management of access control

QingCloud IAM services can uniformly manage the operation API of each module of the cloud platform, and define the relationship between various services and resources.

The policy is edited by the user to combine into a set of different operation permissions, and then assigned to other identities, and finally the unified management of the access control of the services or resources under the user's name is realized.

2. Ensure the security of access

The access credential adopts RSA asymmetric encryption algorithm to effectively ensure the security of the key.

Users are allowed to set and adjust the expiration time of the credential token to ensure the security of the credential, so that the identity certificate can expire automatically after a certain period of time.

3. Simulation strategy

Evaluation supports the simulation of policy evaluation results when specifying API and resource scope for any composite policy to effectively circumvent and prevent complex policy permission combinations from deviating from management expectations.

4. Visual management

Support seamless switching between visualization and programming modes when creating policies, compare and generate accurate policy permission profiles, and greatly enhance the permission customization experience for middle and high-level enterprise customers.

At the same time, users can customize the policy version and support the visual comparison management of the policy version, so that you can see the small changes between the policy versions at a glance, thus focusing on improving the smoother and more convenient operation experience.

5. Fine control granularity

Create access policies based on cloud service API granularity, support allow and deny effectiveness, support arbitrary superimposition of multiple services and multiple effects, and support switching to developer mode at any time to set wildcards for services and API.

6. Detailed design of permission policy.

It is the first in the industry to classify the API operations of all kinds of nano-management services according to read-only, maintenance and sensitivity rather than simply readable and writeable, which aims to assist in the allocation and design of administrative permissions and make authorization objectives clearer, more cautious and more secure.

7. Rich trust carriers

Users can grant access to hosts, accounts and sub-accounts.

IAM best practices fine rights management, multi-person cross-account management collaboration

At the beginning of the business, enterprises do not have high requirements for the security management of cloud resources, and can accept the use of an access key (Access Key) to operate all resources. But over time, as the enterprise grows into a large company, the organizational structure becomes more complex, and several project teams may share cloud resources at the same time.

At this time, you need to authorize multiple people to assist in managing resources, handling bills and other operation and maintenance operations. In the past, you can only provide account passwords directly to each other, or share related resources with others by combining them into projects. Security management of cloud resources cannot be guaranteed.

By configuring IAM, users can directly assign some operation permissions in their accounts to different identities and then assign them to others for use, without considering the problem of resource combination or unreasonable permission allocation. For example, through IAM, users can allow sub-account A to fully access the elastic CVM service in their account (support to create, start, stop or destroy hosts, etc.) by substituting the identity assigned by them. At the same time, another account B in the QingCloud platform is allowed to view only a specific host information by substituting the identity assigned by it.

Management application sharing access to cloud resources / key-free application development

When users develop an application on the QingCloud public cloud, when they need to call the cloud resource API/CLI in the application to complete certain functions, they need to use the API key of their account as the application configuration item for connection if necessary, but the configuration item may be accidentally leaked.

IAM enables it to grant access to its cloud resources to manage and use resources in its account without having to share account passwords or API Access Key.

For example, users can easily achieve key-free access by configuring IAM identity for their QingCloud CVM, allowing applications created in their CVM to obtain identity credential information by integrating QingCloud official SDK, and then they can call QingCloud API/CLI in the application to access cloud resources.

The above is how to create a zero-trust security architecture through IAM. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.