A TIERED AUTHORIZATION MODEL REDUCES THE ECONOMIC RISKS OF THE CLOUD TEST PHASE
The starting point for a company in the exploration phase is a base or root account for most providers, which has rights to everything. This account is especially secured - e. g. in addition to password protection with an RSA token. This is necessary, as the debit card is used here.
In the next step, a leading administration account is created. It has all authorizations, but no longer has access to the credit card data as an economic link between customer and provider. This account is also secured in detail.
This is where the user accounts for different employees come into play. With a larger group of people with their own access, the risk of generating costs uncontrollably and unintentionally increases. In the case of larger user groups, unlimited administrative full access cannot generally be granted to all users. By setting up billing alerts, undesired peaks in usage can be detected and reported at an early stage, but a graduated usage concept in advance and the corresponding assignment of rights to individual users provide more security.
First of all, the idea of not giving the "cloud pathfinders" in the company administrator rights, but rather sending them on an exploratory trip with largely unrighteous accounts and issuing authorizations if necessary, sounds sensible. In practice, however, this is almost impracticable, since the large cloud providers have set up the assignment of authorizations on an extremely small scale with a high degree of granularity. For the "Virtual Machines" area alone, AWS has over 230 different sub-permissions that can be assigned. With such an extraordinarily dense array of award policies and their interlinking, even the testing of cloud options becomes a science in itself, which tends to prevent quick discoveries.
The background to these complex procurement structures is that the large cloud providers have to meet the needs of large companies with often many hundreds of users and administrators. And this means that the division of work into small parts results in a correspondingly chiselled assignment of rights in cloud systems. Suitable for large usecases, this is often quite complicated and inflexible for smaller teams.
At the same time, it is also a great protection. Thousands of options and services in a global cloud computing network offer too many opportunities for waste or uncertainty from a data security and cost perspective.
KEEPING AN EYE ON STRATEGY AND IMPLEMENTATION WHEN DEVELOPING AN AUTHORIZATION CONCEPT
Documentation, experience reports, blog discussions and also the introductions of the large providers themselves together form a reservoir of important information that is often too large for the beginner to plan wisely into the cloud. The most important clues as to what needs to be considered, a guideline for your own first steps into the cloud, one often seeks in vain ...
Read the complete article on novum online - the newsdesk of noventum consulting.