Organizational policies in the cloud
1. Organizational policies in the cloud
As a security professional, you might be tasked with deciding how members of your organization can create and configure cloud resources. That’s where cloud organizational policies come in. A cloud organizational policy is a set of restrictions, or constraints on a specific cloud service or a list of services. Constraints restrict and control how you can configure cloud services and resources in your organization’s environment. There are different policy options available depending on your organization’s needs. Identity and access management, or IAM, focuses on who is allowed access to a resource. Organizational policy addresses what resource configurations are allowed in an organization or in a specific set of resources. Organizational policies can be set at resource hierarchy nodes including the organization, folder, or project level. By default, assets in the hierarchy inherit the policies of resources above them. All new resources created under a resource hierarchy node with a constraint set on it conform to the constraint. You can also set organizational policies using tags. Tags let you define groups of resources throughout a hierarchy and assign constraints to all resources in the group. Organizational policies help prevent security violations from happening by restricting actions that pose security risks, similar to guardrails on a highway. The policies enable people in your organization to work more quickly and securely with the confidence that the security team has authorized their access. If a restricted action is attempted, it’s recorded in an audit log and sent to Security Command Center, so that administrators can track restricted actions and follow up on any issues. Organizational policies let administrators enforce compliance at a higher level than IAM policies. Even in large-scale cloud environments, with thousands of resources created every day, organizational policies can help achieve compliance by restricting resource actions that do not fit within standards. A well-designed organizational policy can also prove to your auditors that your organization is complying with applicable standards. And, since organizational policies can prevent unnecessary resources from being created, they can be used to control costs. As I mentioned earlier, cloud organizational policy is a set of restrictions or constraints on a specific cloud service or a list of services. Now, let’s dive in a little deeper and discuss two constraint types: list and boolean. List constraints are rules that allow or disallow a set of values, and are useful when you need to specify the characteristics of resources created within your environment. For example, you might choose to enforce a constraint that prevents both public and anonymous access to Cloud Storage data. This would result in all created Cloud Storage resources becoming accessible only by a set of trusted accounts from a predefined list of domains. When a user tries to configure a resource to provide access to accounts from domains not on the list, they’ll receive an error code specifying which policy was violated, and account access will not be permitted. Boolean constraints are constraints that are either enforced or not enforced for a resource. They govern a specific behavior, and can be set to true or false. This is known as the disable automatic role. The disable automatic role is an example of a Boolean constraint because it grants access to default service accounts. Some cloud services automatically create default service accounts with the editor role. The editor role includes a large number of permissions, and can pose a security risk if an account is compromised. Using the constraint: “disable automatic role grants to default service accounts,” you can prevent new service accounts from automatically receiving the editor role when they’re created. This lets you choose which permissions to grant to service accounts either manually or by adding additional constraints to your organizational policy. Using organizational policies, you can be confident that your cloud environment will stay secure and in compliance, even at a large scale. The more you know, the more of an asset you can be to your team, your coworkers, and your organization. As a cloud security professional, your knowledge of organizational policies will help your teams configure resources securely.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.