- Topics List - 2021
- Contrasting On-Premise and Cloud Security Practices
- Deep Dive into the "Cloud Operating Model"
Experienced engineers and organizations often share concerns over uncertainty, lack of control, visibility, and governance in cloud environments. Is it possible to, at a minimum, achieve parity with on-premise security use cases and capabilities? We want to explore security requirements, use cases, and solution architectures to illustrate that the same goals are achievable through novel approaches.
- Architecture
- Operations
- Incident Response
- Remote Access
- Governance
- Identity and Access Management
- Meeting Compliance
- Visibility
Mature organizations and engineers operating in cloud environments practice immutable infrastructure - the practice of deploying a new, fresh version of systems and applications alongside the current environment before tearing down the existing environment completely. A beneficial side-effect seems to be mitigating advanced persistent threats.
Identity applies to workloads, applications, as well as users. What does "identity as the new perimeter" mean? We have practical examples that we will share to solidify and visualize the approach.
Far from a buzz term, zero trust is a new approach to security that has emerged from experience and lessons of security missteps and blind spots of the past. My first introduction to the concept was Google's BeyondCorp initiative/approach a few years ago. We want to show and tell robust security architectures and solutions based entirely on open source and cloud provider services to tune out the marketing hype and demonstrate real-world examples and implementations.
You may be practicing Role-Based Access Control (RBAC), but what is Attribute-Based Access Control (ABAC)? Can it help simplify Identity and Access Management?
RBAC approaches security and least privileged access by defining the specific resources and permissions required to fulfill a given job role.
While RBAC is the mainstream and widely adopted approach to IAM today, it isn't easy to scale the management of roles, policies, and resources that the model uses. When the business adds new resources that a team needs, the user won't have access until an admin updates the policies for their role. Or, when team members move to different parts of the organization, an admin may need to update several policies to remove access to some set of resources while granting access to others. updates
This can be tough to get right - we've all seen the permissions sprawl across identities and groups/roles. How often are identity teams/companies removing permissions once they're no longer needed?
ABAC relies on the attributes of the user and the resources they're trying to access. These are commonly implemented as tags or labels in cloud environments. For example, if user Elliot working on the team F-Society wants to access files stored in his team's S3 bucket, a simple policy applied at the resource level restricts access granularly based on attributes present (or not) on Elliot and the S3 bucket.
And when the F-Society team expands to work on blockchain-related projects, the same policy - again, applied at the resource, works. When Elliot moves off the F-Society team, he loses access automatically because he no longer has the associated attributes. We'll discuss and demo approaches to passing attributes with a user identity from Active Directory or through federation via SAML or OAuth2/OpenID Connect.