Showing posts with label AWS. Show all posts
Showing posts with label AWS. Show all posts

Tuesday, March 14, 2023

Identity and Access Management Concept

Identity and Access Management is the concept behind controlling access to assets, including information, systems and devices. IAM focuses on issues related to granting and revoking privileges to access data or perform actions on systems. The goal of IAM is to provide the right people with the right access to the right resources at the right time. Controlling access to assets is a central theme of security. All assets should be protected, but with different levels of protection depending on the system context or criticality.

IAM can be broken down into four core interconnected concepts.

  • Identification
  • Authentication
  • Authorization
  • Auditing and Accountability

Various regulations require that all activities of identification, authentication, and authorization are monitored through audit or security logs to provide accountability and support forensic analysis if security issues occur.

Identification

  • Identification is the process of a user claiming an identity. 
  • A user is an active entity that accesses a system to receive information or perform an action. 
  • Users can be persons, programs, services, or anything else that can access a resource. 
  • A user must provide an identity to a system to start the authentication, authorization, and accountability processes. 
  • Providing an identity might entail typing a username, swiping a smartcard, or positioning your hand, face or finger in front of a scanning device. 
  • Identification is usually integrated with user management. 
  • User management involves creating and managing user identities, bundling them into groups for effective management and assigning users and groups to roles. 
  • User management operations include creating, modifying, and deleting user identities, as well as granting and revoking credentials and roles.

Authentication

  • Authentication is the process of validating the identity of a user. 
  • The three basic methods of authentication are as follows. 
    • Type one authentication factor is something you know, this may be a password or a phrase, or a personal identification number or pin. 
    • Type two authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a one-time password generator, smartcard, or hardware token. 
    • Type three authentication factor is something you are. It is a physical characteristic of a person identified with different types of biometrics. Examples include fingerprints, voice prints, and retina patterns. 
  • Multi-factor authentication involves using two or more authentication factors. For example, combining something you know, with something you have. 
  • Ideally, the factors should be from different categories. This method increases security as it requires a malicious user to break multiple authentication methods to break the schemes.

Authorization

  • Authorization defines what users are allowed to access after authenticating, unauthorized users should not be able to access business assets or perform critical functions. 
  • Authorization can be controlled by policies. For example, it could be time of day restrictions, length of time restrictions, file or folder access rights and more. 
  • Setting the right authorizations is critical to ensure data protection, prevent fraud, and for regulatory compliance in general. 
  • Here are some important authorization principles to consider. 
    • Firstly, the principle of least privilege means giving a user or process only those privileges which are essential to perform its intended function. 
    • Secondly, separation of duty as a security principle, has as its primary objective, the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.

Auditing and Accountability

  • The final piece of the IAM puzzle is auditing and accountability. 
  • The process of tracking users and their activities to provide accountability. 
  • If a user misuses privileges or compromise is suspected, we can investigate and ensure that the user is held accountable based on collected audit logs. 
  • These capabilities ensure users are accountable for their actions, verify that the security policies are enforced and can be used as forensic tools. 
  • Auditing capabilities are also necessary to fulfil regulatory or compliance activities.

Challenges

There are several challenges that may result from insecure implementation of identification, authentication, authorization, and accounting systems. 
Some examples are:

  • Identity theft
  • Attacks on authentication
  • Trusting the means of authentication
  • Improper or missing authorization checks
  • Incorrect permission assignments
  • Unprotected or unencrypted API and external calls
  • Untraceable access
  • Missing logs of security events
  • Unnecessary usage or storage of personal data.

By at No comments:

Wednesday, February 15, 2023

AWS Cloud Overview

AWS Cloud History

  • AWS was launched in 2002 internally at amazon.com.
  • Afterward they realized that the IT departments could be externalized.
  • So, their Amazon infrastructure was one of their core strengths and they said, "you know what maybe we can do IT for someone else, for other people."
  • So, they launched their first offering publicly which was SQS in 2004.
  • In 2006, they expanded their offering and they relaunched with the availability of SQS, S3, and EC2.
  • Then they expanded and said, "you know what? "We don't have to be just in America. We could be in Europe."
  • And then fast forward to today, we have so many applications that used to run or are still running on AWS, such as Dropbox, Netflix, Airbnb, or even the NASA.
Number Fact:
  • In 2019, AWS had $35.02 billion in annual revenue
  • AWS accounts for 47% of the market in 2019 (Microsoft is 2nd with 22%)
  • Pioneer and Leader of the AWS Cloud Market for the 9th consecutive year
  • Over 1,000,000 active users

AWS Cloud Use Cases

  • AWS enables you to build sophisticated, scalable applications
  • Applicable to a diverse set of industries
  • Use cases include
    • Enterprise IT, Backup & Storage, Big Data analytics
    • Website hosting, Mobile & Social Apps
    • Gaming              

Now AWS is global. And this is where we are going to learn a bit more specifics about how it works.

AWS Global Infrastructure

  • AWS Regions
  • AWS Availability Zones
  • AWS Data Centers
  • AWS Edge Locations / Points of Presence

And all of these can be represented on the map right here: https://infrastructure.aws/

AWS Regions

  • AWS has Regions all around the world
  • Names can be us-east-1, eu-west-3…
  • A region is a cluster of data centers
  • Most AWS services are region-scoped

How to choose an AWS Region?

  • Let say you're launching a new application.
  • Where should you do it?
  • Should you do it in America, in Europe in South America, or in Australia?
  • Well, the answer is, of course it depends.
  • But let's look at some factors that may impact your choice of an AWS region.
    • Compliance with data governance and legal requirements: data never leaves a region without your explicit permission
    • Proximity to customers: reduced latency. As if most of your users are going to be in America, it makes a lot of sense to deploy your application in America, close to your users, because they will have a reduced latency.
    • Available services within a Region: new services and new features aren’t available in every Region
    • Pricing: pricing varies region to region and is transparent in the service pricing page 

AWS Availability Zones

  • Each region has many availability zones (usually 3, min is 3, max is 6). Example:
    • ap-southeast-2a
    • ap-southeast-2b
    • ap-southeast-2c
  • Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity
  • They’re separate from each other, so that they’re isolated from disasters
  • They’re connected with high bandwidth, ultra-low latency networking

AWS Edge Locations / Points of Presence

  • Amazon has 216 Points of Presence (205 Edge Locations & 11 Regional Caches) in 84 cities across 42 countries
  • Content is delivered to end users with lower latency

Tour of the AWS Console

  • AWS has Global Services:
    • Identity and Access Management (IAM)
    • Route 53 (DNS service)
    • CloudFront (Content Delivery Network)
    • WAF (Web Application Firewall)
  • Most AWS services are Region-scoped:
    • Amazon EC2 (Infrastructure as a Service)
    • Elastic Beanstalk (Platform as a Service)
    • Lambda (Function as a Service)
    • Rekognition (Software as a Service)  
Finally, to know if a service is available in your region, there is a region table you should check out right here:
Region Table: https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services

Shared Responsibility Model diagram

  • You as a customer, you're responsible for the security in the cloud.
  • So, whatever you use in the cloud, however you configure, it is your entire responsibility.
  • That includes security, your data, your operating system, your network, and firewall configuration, etc.
  • And AWS is going to be responsible for the security of the cloud.
  • So, all the infrastructure, all the hardware, all the software, all their own internal security, they are responsible of.
  • And this is why we have shared responsibility.

AWS Acceptable Use Policy

  • https://aws.amazon.com/aup/
  • No Illegal, Harmful, or Offensive Use or Content
  • No Security Violations
  • No Network Abuse
  • No E-Mail or Other Message Abuse

By at No comments:
Subscribe to: Posts (Atom)