Within the framework of a managed offer by Orange Business Services we consider two cases:
- The deployment of workloads in the Customer’s GCP Organization
- The deployment of workloads in OBS’s GCP organization
We have then 3 points to take into account when deploying GCP Security Native Services:
- How do we manage Identification & Authentication for OBS and for the Customer?
- User identity,
- Service account identity.
- How do we give access rights on these identities (group identities, user, and service account identities)?
- How do we make sure that we have a periodic audit on the 2 previous points? Performing an access review on a periodical basis, and giving an account to the customer, adds value to the offer..
As part of the NGOT (Next Generation Operation Tools) project, a perennial and automatic identity provider infrastructure is currently developed, in order to ensure the assignment of rights to Managed Services’ users.
This IAM infrastructure leverages on Orange Business Services’ HR processes to manage OBS users and their rights. Customer identities and rights can be managed as well using OBS’ IAM infrastructure. Otherwise, co-managed identities and rights can be federated from OBS’ IAM infrastructure, on the one hand, and from the customer’s identity provider, on the other hand.
The clients landing zone includes resource hierarchy in the client’s organization, and in the gcp.orange-business.com organization to be able to manage the client separately by OCB and by the client in case of need. The resources in gcp.orange-business.com are also used to automate the client’s infrastructure deployment via IaC.
Resource hierarchy will be kept simple and synthetic, giving us a good scoping of controls per environment types, then at last level, the projects themselves. The 4 Levels in bold hereunder are the standard design, with respect Orange Groups security standard. In case of more levels, the rules apply to all levels. Entities can have more than 4 levels.
- Customer Folder (in case of a full managed) (1st level Folder)
- Landing Zone management folder (2nd level Folder)
- Environment and common folders (3rd level Folder)
- Entity folder (4th level Folder)
- Projects (5th level Folder)
Identity and access management (IAM) covers products, processes, and policies used to manage user identities and regulate user access within an organization.
The implementation of the IAM policy follows the three principles hereunder:
- Least privilege: ensure that a user has the necessary and sufficient permissions according to their roles
- Isolation: make sure there is no access or even visibility possible from one identity provider to another
- Autonomy: limit the loss of time related to the acquisition of permissions
- Each IAM policy rule is supported by groups defined at the level to which policy is relevant. The group manager of each group is responsible to determine and fill out members.
- The group name is prefixed depending on the level to which he IAM policy rule belongs.
The following kinds of groups are currently defined:
4 privileged groups
- admins (admins resources): who can create projects and folders
- security-admins: who can give access by giving IAM roles
- billing-account-users: who can assign a billing account to a project
- network administrators:
least privileged groups
- viewers: those who can see resources
- dev-ops: which can deploy as code. Mainly who can masquerade as dedicated service accounts
- dev-apps: users with limited rights
- security-reviewers: who can review cloud security, mainly see IAM role settings
IAM groups created by OBS IaC to efficiently manage privileges
According to the service class bought by the customer, the automated deployment scripts can be tailored to customer requirements. These solutions are designed and implemented through dedicated workshops with Orange Business Services.
Design of automated deployment processes and scripts encompasses the topic of the management of the secrets protecting dedicated service accounts.
Accounts and access rights review is an essential component of our IAM policy, closely linked to identity lifecycle management and account and rights provisioning.
It involves ensuring that the access rights of users of the information system are in conformity with what they should be, and certifying them , or – if necessary – carrying out remediation operations in the event of non-compliance with the client’s authorization policy .
This activity is therefore part of a governance and control logic for authorizations, in order to provide the expected guarantees of compliance.
The accounts and access review is performed every six months, under the responsibility of the Business Security Officer. If the sold service does not include a BSO service, then the Service Delivery Manager is responsible of the accounts and access review.
Standard payloads running on traditional VMs are based on hardened OS images. Centralized patch management is performed upon them. When the payload is containerized, OBS can perform the equivalent to patch management, provided that it has responsibility and control on the building of the baseline image.