Access Control has always been at the heart of the top end security technology. The modern cloud may be the the first time ever that you can implement powerful security that is clearer to visualize and has stronger trust boundaries.
What is Access Control?
In a sentence, it is about allowing access to certain network/data locations based on the origin. Of course, that is a very loose and basic definition. Modern Access-Control has evolved to be much more sophisticated now. Before we move forward let’s consider a few questions:
- Within your datacenter/cloud, where is the trust boundary?
- Do your manage different departments using different network locations (like subnet, VLAN etc.)?
- Are the individual servers themselves responsible for defending themselves against unauthorized access?
- Do all users (including your consultants and partners) get treated the same when connecting to your datacenter?
If the answers to these questions are mostly technical in nature, you may have already made a mistake. Quite possibly you’re already paying for it in ways you may not directly associate with such setups. Simple follow up question, do you often have “maintenance” windows that last several hours or cover large parts or all of your network? How long does it take to get things back to fully functional?
Perhaps its now easier to see where we are going with this, the only true way to define your deployments access rights is to use user roles and not subnets, VLANs, groupIDs or IP Addresses.
In Focus: Role Based Access Control
Declaring “everyone in my engineering department should have access my version control server” is more intuitive than “subnet 10.0.0.0/24 has version control servers and build servers and my engineers are coming from 192.168.0.0/24 and 192.168.2.0/24; Let’s connect them”. Then there are other things to consider, users are allocated xyz groupID on the VPN and there will need to be a few rules in the DMZ firewall and the internal router to allow this traffic too.
There are many problems with the latter approach apart from being unnecessarily complicated. Sizes of subnets arn’t flexible, capacity of each is limited, groupIDs secrets are hard to manage and change across the board and changing anything in the topology will invalidate everything that I have built the policy on.
Role Based Access Control is just what it says it is, use the existing corporate roles of your employees that you keep already in your directory server (Microsoft Active Directory or LDAP etc.) and use them to define access rules without worrying about the numbers of people in each role or where the actual server is placed (IP, Subnet, VLAN etc.). Advanced engines go a step further and define, exactly which protocol is allowed. Certainly you do not want the management console to your Microsoft Sharepoint server to have the same access rights as the Sharepoint portal itself. Just so you know, that is how you should be able to define the policy as well, “Allow access to management console to IT and Deny access to everyone else”.
Access Control and The Cloud
There is one big difference between hosting your datacenter yourself vs hosting your apps on the cloud; user communication leaves the devices and reaches the cloud using an insecure, public Internet. This small change, turns the entire trust equation on its head. Every assumption you have ever made about your servers and users in an on-prem setup is no longer true.
Good news, it’s not a problem, there is a solution and a rather elegant one. Having your trusted applications selectively walled from any “uncontrolled/semi-controlled” agents is a good thing. Using a single Cloud Access Gateway, you accomplish three things
- Datacenter Perimeter
- Selective Access to Authorized Users only
- Encrypted communication to protect against Internet threats
- Unified Access Control and Access Management
Simple rules are easier to manage, there is no secret to it. But that should not mean loss of precise control. CipherGraph allows Role Based Access Control that is incredibly granular and can handle very precise as well as very broad rrules.
Never slow down
With modern technology, speed is not a luxury any more, you even have high network speed and processing power on your mobile phones, why would you setup a security solution that becomes a bottleneck to your datacenter? CipherGraph has a patented high performance network engine for the speeds of tomorrow. Resilience, high availability and failovers are available to deployments of all sizes and not limited to the large enterprises.
Contact us at firstname.lastname@example.org for more information and free consultation.