Access Control
In the previous post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Now it’s time to dive deep into every topic, and let’s start with 🔐 Access Control.
❓ How would you approach the implementation of the following controls?
– Establish Centralized Infrastructure Access (User Directory, SSO);
– Implement Role-Based / Permission-based Access Control;
– Leverage Principle of Least Privilege when establishing and authorizing access.
💪 Here is how, in just five (5) simple steps:
- Connect your identity provider (e.g. Google Workspaces, Office 365, etc) to your Cloud Provider.
- Grant cloud infrastructure access on the Group basis, never grant access to individuals. This helps define and maintain access permissions based on roles or job functions.
- Take time to write access policies, so you know exactly which resources and services you’re granting access to. Do not use access policies pre-provisioned by your cloud provider. I know it’s painful, but you will see that – once created – those policies will rarely change, so it is not a waste of time.
- Never specify broad permissions in the access policies. Wildcards are a Big NO.
- Establish a channel (the Support Ticketing system) for people to request more permissions as needed. Make sure all changes go through the ticket, and the ticket goes through all necessary approvals. Never honor the verbal, IM’d, or emailed requests.
See anything missing or irrelevant?