I generally divide the access problem into two separate parts. The first is access to the cloud account itself, which typically requires providing the cloud account credentials to each user requiring access. The second is access to individually running servers, which requires a system administrator to create accounts for each user. A third layer is added by the enStratus cloud management platform which I will discuss in a moment.
Each of these access levels carries with it security implications. In the first case, it is unwise to spread credentials of any kind among users even if they are trusted because of the tendency for shared credentials to be shared even further than the trusted circle.
enStratus removes the requirement for sharing cloud credentials by introducing a third layer of user management. As the cloud management platform credentials are held outside of the cloud in an encrypted database. Using enStratus, administrators can focus on access rights and permissions without having to worry about losing control of account credentials.
User managment in enStratus is role-based and familiar to managers and system administrators. Securely adding remote access to individual servers to developers or administrators can be done quickly and reliably using the enStratus console. I grant remote access to a single user on a single server in this manner on a routine basis.
Integration into existing LDAP and Active Directory offerings enables seamless integration of user management in cloud infrastructure into traditional datacenters. When a user account is removed in Active Directory, for example, any corresponding cloud user accounts are removed.
To fully appreciate and leverage the power of user managment in enStratus I typically further divide users into groups and then grant them access permissions to specific cloud resources using the access rights enStratus assigns to cloud resources.
For example, the manager who asked me about managing users wanted to split his infrastructure into two parts, one for development and one for production, just like his company used in their own datacenter. I created two groups and permissioned the roles to allow personnel in the development group access only to servers in their group, while production remained accessible only to a select subset of developers.
This concept can be expanded to create entire virtual departments analogous to traditional datacenter components. In another account I set up a database group, an applications group, and a security group. In this particular scenario, the security group was responsible for vetting servers and then making them available to the applications and database teams.
Access and user management in the cloud can be secure and role-based using enStratus. By keeping credentials securely outside of the cloud and using groups and roles, managing access can be a successful endeavor.
enStratus,first time i heard it.
Posted by: tera gold | 07/25/2010 at 07:13 PM