Identity and Access Management (IAM) are if you look at the public cloud environment either you can actually treat this as your own on-premises.
There are some people who are trying to access your resources whether it is a Website whether it is your server or whether it is your database, you need to provide permissions or manage the permissions for those users.
Identity and Access Management Concepts:
There are some users who are accessing your resources or there are some applications accessing your databases.
So you need to manage the permissions and that is the case for the cloud as well.
So in the cloud, you have either individual users or have a group of users you can either give individual permissions or you can give a group of permissions that are bundled inside the roles.
There are groups of users who are managing some specific infrastructure you can create a group and you can assign either the role or permissions to that particular group.
So as men imply comes or goes you can just manage that particular group and the permissions are the roles are associated with the group which will be applicable to that particular use it.
If there are some special provision users you can provide access to users directly instead of the groups and that’s how you can manage the permissions or the roles to that particular user.
But besides the users or group if there is an application trying to access your cloud resources what you can do is you can limit or give permissions to that particular application using the service account.
Inside Google Cloud Platform and a similar concept is used in multiple other cloud platforms like AWS and Azure, But you can restrict the permissions of your Google cloud resources based on the service account to the application.
Identity and Access Management hierarchy:
If you look at the resource hierarchy the way it is organized at a high level you have organization admin, organization viewer, folder admin, folder viewer, and this is managed inside your g suite account and not in Google Cloud Platform.
In Google Cloud Platform you can have either the project creator or project admin, the resource roles like individual resource look someone trying to create a bucket inside cloud storage or someone is launching App Engine or someone is managing say computing resources.
If you look at the policies which are set at the organization level gets replicated up until the individual resources resourcing it all the policies parliaments parents policies are a union of a parent as well as the resource individual policies.
Authentication in Identity and Access Management (IAM):
Authentication is a process where a user provides his identity to gain access to resources such as application, system, devices and so on.
During Authentication the user needs to provide some pre-registered credentials in order to establish their identity.
Authorization in Identity and Access Management (IAM):
Authorization refers to the process responsible to determine user permission to access particular resources.
Authorization is usually performed by checking the resources access request, against a set of authorization policies typically stored in the backend.
Usually, the process of Authorization verifies a user’s identity and it then enables authorization. An authorization policy then decides what the given identity is allowed to do in the context of the particular system in concern.
Authorization Access Control in IAM:
The Authorization model could also provide complex access controls based on:
- Data, information, policies including user attributes
- User roles, the group as allocated
- Access channel (IP, Geolocation, and so on)
- Time of Access
- Resources requested by the user (Dynamic Behavioural Analysis)
- Externally associated data (Threat intelligence)
- Business Rules.
Authentication Process in Identity and Access Management (IAM):
- Single Factor
- Identity Management
- Authenticator Management
1.Single Factor in Identity and Access Management (IAM):
2.Multi-Factor in Identity and Access Management (IAM):
3.Identity Management in IAM:
4.Authenticator Management in Identity and Access Management (IAM):
Mandatory Access Control (MAC) in IAM:
Primarily MAC is a way of assignment of access rights, based on policies/restrictions enforced by a designated central authority.
MAC Usually restricts the power of individual resource owners (Of granting/denying access to the other users) to objects in a system.
Usually employed in the military of government domain.
MAC typically user assignment of classification label to each file system object: such as “Confidential”, “Secret”, and “Top Secret”.
Each system user or device is allotted a corresponding classification level and a clearance level.
MAC is a very secure type of access control.
Key Consideration: In the MAC pattern, individual resources owners are not allowed to make their own assignments of access permission to other users and entities.
Discretionary Access Control (DAC):
A Discretionary Access Control (DAC) policy is a way to allocate access right on the basis of rules specified by users (typically the information owners).
The Fundamentals concept behind DAC is typically the information that the owners can govern access to files and objects.
Role-Based Access Control (RBAC):
Role-Based Access Control (RBAC) works on the basis of the “role” of a user within an enterprise that pertains to their “current” role in the organization.
User Permission is mapped to specific enterprise roles and whenever an employee changes the role- the corresponding access permissions change.
Rule-Based Access Control (RuBAC):
Rule-Based Access Control (RuBAC) is a strategy to manage user access on multiple systems, based on dynamically triggered rules.
RuBAC is also referred to as Automated Provisioning. With RuBAC, once a request is sent for accessing network resources, some security control, would verify the properties of the request against a set of pre-defined rules.
Example of Identity and Access Management:
If you create a group or the user which has got one of the project viewer access and then if you go ahead and enable the policy to create a compute engine, you can do that or vice versa.
It is the way you can restrict and provide access to some users or the users or I would say applications in the context of Google Cloud Platform using Identity and Access Management.