ccs362 unit3 notes
ccs362 unit3 notes
- Implementation:
2. Security Measures
- **Purpose*: To protect cloud environments against unauthorized
access and potential breaches.
- **Implementation**:
- **Implementation**:
### 4. **Visibility**
- **Implementation**:
- **Data Mapping**: Track where all data resides across the cloud
infrastructure to better manage access.
- **Implementation**:
- **Implementation**:
- **Implementation**:
User identification
User identification in the cloud is a set of technologies and practices
that allow organizations to manage and control user identities and access
to digital resources. **Cloud Identity** is a key service that supports
these functions, helping to:
- **Methods**:
- **Methods**:
- RBAC ensures that employees and users can only access data and
perform actions required for their specific roles. This minimizes the risk of
unauthorized access to sensitive information.
2. **Manage Permissions**:
1. **Assign Roles**:
3. **Grant Access**:
- Once roles are defined, users are granted the corresponding roles. This
directly determines the level of access they have to cloud resources and
services.
4. **Manage Access**:
1. **Google Cloud**:
- AWS uses RBAC through services like **Amazon Cognito**, where roles
can be assigned to users or groups, such as Administrator, Developer, or
Viewer. Permissions tied to these roles control access to AWS resources,
offering a granular approach to security.
### **Conclusion**
**Purpose**:
- The user logs into one application (the Service Provider) using their
credentials.
- The Service Provider redirects the user to the Identity Provider for
authentication.
- The user does not need to log in again for other connected applications.
**Benefits of SSO**:
- Users only need to remember one set of credentials and avoid frequent
login prompts.
3. **Improved Security**:
4. **Reduced IT Costs**:
---
- Users can authenticate in their home organization and then use those
credentials to access resources in a federated organization.
1. **Cross-Platform Access**:
4. **Improved Collaboration**:
- Facilitates collaboration between organizations by allowing employees
from one company to access resources in another company or external
service without re-authenticating.
---
---
1. **Scope of Access**:
2. **Security Considerations**:
3. **User Experience**:
---
### **Conclusion**
Both **Single Sign-On (SSO)** and **Identity Federation** are crucial for
simplifying user authentication and improving security in cloud computing
environments. While SSO focuses on managing access within a single
domain or organization, **Identity Federation** extends this convenience
across multiple organizations or domains. The choice between SSO and
Identity Federation depends on the scope of the services and the need for
cross-domain collaboration. Together, these mechanisms offer a
comprehensive solution for secure and efficient user authentication in a
cloud-first world.
Definition:
Single Sign-On (SSO): Enabling users to log in once and access multiple
systems without re-authenticating.
Identity Federation: Facilitating cross-domain authentication so users can
access resources across multiple organizations or services using a single
identity.
How It Works:
The IdP authenticates users and generates security tokens (e.g., SAML
assertions, OAuth tokens, or OpenID Connect ID tokens) to provide
evidence of the user’s identity.
Okta
Amazon Cognito
Definition:
Trust the IdP: Rely on the IdP for authenticating users and verifying their
identity.
Grant Access: After receiving the authentication token from the IdP, the
Service Consumer determines the level of access the authenticated user
should have based on their identity and assigned roles.
Enforce Security Policies: Ensure that only authorized users can access the
resources by validating the identity information and permissions.
How It Works:
The Service Consumer redirects the user to the IdP for authentication.
The IdP verifies the user’s identity, and upon success, sends an
authentication token back to the Service Consumer.
The Service Consumer validates the token, grants access to the requested
resource, and enforces any security policies based on the user’s
permissions.
Salesforce
Dropbox
Authentication:
Authorization:
Access Control:
Conclusion
---
**Definition**:
**How It Works**:
- The IdP authenticates users and generates security tokens (e.g., **SAML
assertions**, **OAuth tokens**, or **OpenID Connect ID tokens**) to
provide evidence of the user's identity.
- **Okta**
- **Amazon Cognito**
---
- **Trust the IdP**: Rely on the IdP for authenticating users and verifying
their identity.
- **Grant Access**: After receiving the authentication token from the IdP,
the Service Consumer determines the level of access the authenticated
user should have based on their identity and assigned roles.
**How It Works**:
- The Service Consumer redirects the user to the IdP for authentication.
- The IdP verifies the user's identity, and upon success, sends an
authentication token back to the Service Consumer.
- **Salesforce**
---
---
1. **Authentication**:
2. **Authorization**:
3. **Access Control**:
---
### **Conclusion**
---
**Definition**:
**Key Components**:
---
**Definition**:
**Key Features**:
---
1. **Cloud Storage**:
4. **Spinning Up Resources**:
---
### **Conclusion**
- **Use CIS Benchmarks**: Follow the Center for Internet Security (CIS)
standards.
- **Right CSP Selection**: Choose a cloud provider that fits your security
and cost needs.
- **Archive or Delete Unused Data**: Regularly clean up data to save on
storage costs.
### **Conclusion**
---
**Purpose**:
Verified Boot ensures that only trusted software is executed during the
boot process. It verifies that the bootloader, operating system, and other
critical components are digitally signed and not tampered with.
**How it Works**:
**Key Features**:
**Limitations**:
- Verified Boot ensures that software is authentic but does not provide any
assurance that the software is secure or free from vulnerabilities.
- It does not record or provide detailed information about the boot process
or components.
---
**Purpose**:
Measured Boot is designed to create a detailed and secure log of the boot
process, recording the integrity of each stage in the boot process. It
ensures not only that the software is authentic but also that it has not
been tampered with during the boot process.
**How it Works**:
- **Hash Values and Signatures**: The TPM stores hash values and
signatures for each stage of the boot process (bootloader, kernel, etc.),
which can later be verified against a trusted source to ensure that no
components were modified.
**Key Features**:
- It provides a detailed log of the boot process and verifies the integrity of
each boot stage.
- The TPM ensures that the hash values are securely stored and can be
used for later validation.
**Limitations**:
- While Measured Boot tracks and logs the boot process, it doesn't
inherently prevent booting of unauthorized software (this is the role of
Secure Boot). It works best when used in conjunction with Verified Boot.
---
---
### **Conclusion**