Cloud access Controls#
Role-Based Access Control (RBAC)#
Example: In a company, an employee named Alice is assigned the role of “Accountant.” Because of her role, she is allowed to access the financial records but not the personnel files.
Attribute-Based Access Control (ABAC)#
Example: Bob can access the server only if he is connecting during work hours (9 AM to 5 PM) and from the office network.
Identity-Based Access Control (IBAC)#
Example: A user named Charlie has a unique username and password. The system allows access to certain files specifically because Charlie’s identity is recognized.
Mandatory Access Control (MAC)#
Example: In a military system, documents are classified as “Confidential,” “Secret,” or “Top Secret.” Only users with a matching or higher clearance level can access these documents.
Discretionary Access Control (DAC)#
Example: Dana owns a document and decides to give editing permissions to her colleague Evan but only read permissions to another colleague, Fiona.
Access Control Lists (ACLs)#
Example: A cloud storage folder has a list defining that user Greg can view files, Hannah can add files, and Ian can delete files.
Token-Based Access Control#
Example: Julia logs into her cloud service provider and receives a digital token. This token proves her identity and lets her access various services without logging in again.
Policy-Based Access Control (PBAC)#
Example: A policy states that only managers can approve expenses over $1,000. When Kevin, a manager, tries to approve a $1,200 expense, the system allows it based on the policy.
These access control mechanisms help manage who can see and use resources in a cloud environment, ensuring that sensitive information and systems are protected from unauthorized access.
PKI#
PKI, or Public Key Infrastructure, is a system designed to create, manage, distribute, use, store, and revoke digital certificates. It enables secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email.
A simple example of PKI in action is when you visit a secure website (one with HTTPS in the URL). The website presents a digital certificate to your browser, which contains a public key. This public key is used to establish a secure connection between your browser and the website. Behind the scenes, PKI is managing the creation, distribution, and verification of that digital certificate.
Network Security#
1. Segmentation and Micro-segmentation#
Think of a big office building divided into different departments (segments), like sales, development, and support. Each department has its own secure area (segmentation) to protect sensitive information. Now, imagine within those departments, individual teams have their own secure spaces (micro-segmentation). This is similar to how in cloud environments, different parts of a network are isolated to improve security. For example, your online shopping activities are kept separate from your email to prevent a security breach in one area from affecting another.
2. DNS and NTP Security#
DNS is like a phonebook for the internet that helps your computer find websites using easy-to-remember names (like google.com), while NTP keeps all the clocks in your devices set to the correct time. To keep these services safe, technologies like DNSSEC, DNS over TLS, and DNS over HTTPS make sure the “phonebook entries” haven’t been tampered with and that your device’s clock can’t be manipulated to disrupt security protocols.
3. Network Encryption: IPsec and SSL/TLS#
Imagine sending a letter with personal information. You wouldn’t want anyone but the recipient to read it, right? Encryption is like putting that letter in a safe that only you and the recipient have the combination to. IPsec and SSL/TLS are types of safes used on the internet to keep data secure as it travels between computers, ensuring that only the intended parties can access it.
4. Tunneling Technologies#
Think of a private tunnel built under a city that only authorized cars can use, keeping them separate from public traffic. In the digital world, tunneling technologies like VPNs work similarly, creating secure pathways over the internet to transmit data safely, away from prying eyes.
5. Network Security Services#
This includes tools like firewalls (which act like bouncers at a club, deciding who gets in and out), intrusion detection and prevention systems (like security cameras and guards that watch for and stop suspicious behavior), and packet brokers (which manage data traffic to ensure it’s being monitored correctly).
6. Network Hardening Tasks#
Imagine moving into a new house and changing the locks, adding security cameras, and ensuring the doors and windows are strong and secure. Network hardening is similar; it involves configuring network devices and services to eliminate as many security risks as possible, like updating software to fix vulnerabilities and closing unused ports to prevent unauthorized access.