Identity and Access Management (IAM)

1. What is IAM?

Identity and Access Management (IAM) is an important security tool in cloud computing, focusing on managing and controlling access to different resources in a cloud computing environment. It ensures that individuals or services have the appropriate permissions to access specific resources, while protecting against unauthorized access.

IAM is responsible for authenticating users, granting access to their resources, and maintaining a central repository for user identities and associated permissions. It plays an important role in enforcing the principle of least privilege, where users are granted only the minimum permissions necessary to perform their tasks, thereby minimizing the risk of unauthorized access and data breaches.

1. Importance of IAM in Cloud Services

IAM is the foundation for security and compliance in cloud services. In the cloud, resources are often accessed from anywhere, and security measures based on traditional access boundaries are inadequate. IAM addresses these challenges by providing granular control over access to cloud resources, regardless of their location or the devices used to access them.

By implementing IAM, organizations/enterprises can achieve the following benefits:

• Improved Security: IAM enforces strong authentication mechanisms and authorization policies, minimizing the risk of unauthorized access and data breaches.

• Compliance and Governance: IAM enables organizations to comply with regulatory requirements by controlling access to sensitive data and logging access requests.

• Simple User Management: IAM centralizes user management, making it easy to add, remove, or change user access across the cloud infrastructure.

• Access and Single Sign-On (SSO): IAM enables the integration of external identity providers, enabling single sign-on (SSO) for users and minimizing the need for multiple authentications.

1. Key Goals of IAM in VNG Cloud

IAM is a key component of the VNG Cloud security architecture, enhancing security and ensuring compliance with various regulations. Here is how IAM achieves these goals:

• Secure Authentication: IAM enforces strong authentication mechanisms, ensuring that only authorized users can access cloud resources.

• Authorization Control: IAM provides granular control over access through roles and policies, minimizing the risk of unauthorized access.

• Principle of Least Privilege: IAM adheres to the principle of least privilege, granting only the minimum permissions necessary for users to perform their tasks.

• Centralized User Management: IAM centralizes user and group management, simplifying access management.

• Auditing and Logging: IAM records administrative and access requests on resources, enabling comprehensive auditing and monitoring.

• Compliance Support: IAM helps meet compliance requirements by providing granular access control and access logging.

1. Key Features of IAM in VNG Cloud

VNG Cloud provides a robust IAM solution, allowing you to securely manage access to cloud resources. Some of the key IAM features in VNG Cloud include:

• User and Group Management: Create and manage IAM users and groups to control access to resources based on roles or responsibilities.

• Access Management: Define and attach policies to control permissions granted to users, groups, or service accounts.

• Custom IAM Policies: Write custom IAM policies to grant granular access control to resources.

• Identity Provider: Integrate VNG Cloud with external identity providers to simplify single sign-on (SSO) and user management.

1. IAM Concepts and Terminology

• Root User Account

A Root User Account is an entity you first create in VNG Cloud and use, which by default has full access to all VNG Cloud products/services and resources in that account.

• Users Accounts

IAM User Accounts represent individual identities associated with your Root User Account. An IAM User Account includes security credentials, such as a username and password, to authenticate its identity.

• Groups

IAM User Groups are groups of users who share similar access requirements. Grouping User Accounts simplifies permissions management by granting permissions to a Group instead of individual users.

• Policies

IAM Policies are JSON documents that define permissions and rules for accessing resources. These Policies are attached to IAM User Accounts, User Groups, and Service Accounts to control the actions they can perform on specific resources. IAM Policies follow the "allow" or "deny" principle, meaning they explicitly grant or deny access to resources and actions.

• Service Accounts

Service Account is an identity that you can create in your account that has specific permissions. A Service Account has some similarities to an IAM User Account. Service Accounts and IAM User Accounts are both identities with policies that define what the identity can and cannot do with VNG Cloud resources. However, a Service Account is an identity that is used by an application or machine, rather than an individual, to make authorized API calls and access specific resources.

• Identity Provider

Identity Provider allows you to integrate an external identity provider with VNG Cloud Services, allowing users to access cloud resources using existing credentials from the external identity provider. This eliminates the need for users to remember multiple sets of credentials for different systems and simplifies access management.

In VNG Cloud, you can install an Identity Provider by configuring the connection settings between the external Identity Provider and VNG Cloud. Once installed, users from the external identity provider can log in with their existing credentials to access resources in VNG Cloud.