Monday, May 1, 2023

BEST PRACTICES WITH CLOUD IAM, IMPERSONATION, KEYS

 





IDENTITY AND  ACCESS MANAGEMENT 

Identity Hardening : You need to make use of grouping, when it comes to managing a group of users that have a particular level of privilege which is similar or the same. You can have a group of service account that will be serving a particular project in that group. At this level you have to enable Multi-Factor Authenticator (MFA) for all user accounts which gives you a second layer of security.  You can set up MFA using google Authenticator. 

a. Google Authenticator: You can only set up in one device for security. 

b. Microsoft Authenticator - Microsoft 

example: Even network, when you switch your wifi network to another at times its detected and you will be asked to provide ONE TIME password. That is multi-factor authenticator. 

Service Account. It is important to scope the access of service account, make sure you incorporate segregation of duties. There two ways of using services account to access resources within GCP eco-system.

a. Impersonation : When it comes to access control, impersonation is a security bridge. And the IAM admin would be held responsible.  Anyone that has service account impersonation access can literally achieve anything in your environment without using their own credentials which is vulnerable. Best practice, you ensure the team does not have access to service account impersonation. 

b. Keys: Anyone can literally generate a key file from the service account  and escalate the privilege of the service account. Thats probably the person has access with IAM . At this point the individual is concealing their identity. With the use of the key, you can track and trace the activities of the individual using activity analyzer, you'll not be able to see the hacker that perform the action but you'll see the service account. You want to be very careful who can generate key in service account and monitor that you have one key in circulation. 

KEY MANAGEMENT

You ensure that automation process and rotate keys is achieved every months, 2months for best practice. 


See next slide on how to set-up google cloud account.  Happy Learning 😊!!!

Referencing : https://console.cloud.google.com/




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

CONFIGURING A PHISHING CAMPAIGN IN MICROSOFT DEFENDER.

Configuring a phishing campaign in Microsoft Defender (specifically Microsoft Defender for Office 365) involves creating a simulated attack ...