Drawn from chapter 8 of the CompTIA Cloud+ Study Guide (Montgomery, 2016).
Access Control Lists
An access control list (ACL) provides the ability to selectively filter traffic by either permitting or denying Ethernet traffic between network segments. This packet filtering capability provides an additional layer of security when combined with other security systems such as firewalls, intrusion detection and prevention systems, and advanced authentication systems. When using an access control list, we can create security rules on our network.
ACLs are an ordered list of permit and deny statements that are compared to the network traffic passing through them. When a rule is matched, the action is taken on the LAN traffic, and no further ACL processing is performed. A rule base is configured that specifies any number of parameters that usually include a source or destination IP address or an application such as HHTP or SMTP. Then the ACL is applied to a network interface to filter LAN traffic that is either entering or exiting that interface.
Some of the uses of an ACL are to permit or deny incoming traffic based on the remote IP subnet range to a server, VM, or application; blacklist IP addresses; create multiple permit or deny rules per endpoint; or control traffic that matches the security policy of your company. Once you create an ACL policy, you apply it to a network device, firewall, or virtual machine endpoint.
The packet filtering takes place on the network device or the host node of your VM depending on its placement. Traffic entering the cloud datacenter can be blocked by the network by matching ACL rules instead of your VM having to process the traffic filtering. By default, network equipment will not have any ACLs configured, and all LAN traffic is permitted to the endpoint. When an ACL is defined and applied to an interface, all LAN traffic passing through that interface will be investigated and either allowed through or dropped. It therefore becomes very important to create the ACL permit/deny rules and place them in the proper order for what you are trying to accomplish.
ACLs offer the ability to create granular rules that allow complete control over the network traffic. This lets you choose what devices and protocols to allow and deny network resources on the other side of the ACL. With most ACL implementations, there will be a combination of permit and deny statements with the implicit “deny all” at the end. Ethernet traffic is evaluated from the top of the ACL list to the bottom until a match occurs and action is taken. It should be noted that just the act of configuring an ACL on a switch or router will not take effect until it is applied to an interface in either the outbound or inbound direction.
Storage Access Control Lists
A storage access control list (ACL) is a security mechanism that consists of an ordered list of permit and deny statements to secure access to storage resources in the cloud by explicitly either permitting or denying access to storage resources. Controlling access to storage with the use of ACLs is very similar to the use of ACLs for Ethernet switches, routers, and firewalls that you learned about in the previous section. You can selectively permit or deny access to storage objects. Each storage object can have an ACL that defines which remote devices can access it and what rights are granted. For example, a specific user group can be allowed only read access to a storage bucket in the cloud storage system, whereas another group can perform both read and write operations on the same bucket. A customer who has authenticated on your website may then become a member of the authenticated users group and be allowed to access storage resources on a specific volume based on the configuration of that volume’s ACL. Groups can be defined as everyone, authenticated users, anonymous users, administrators, or whatever your organization requires. These groups are then filtered using an ACL to allow read, write, and full control to storage system objects.
User and Host Authentication
Authentication is the process of determining the identity of a client usually by a login process. By authenticating the user, you learn the identity of that user and can authorize or grant permissions to cloud resources by either allowing or denying access to specific resources. User authentication usually consists of a username and password combination or some variation of that, such as a token or bio-metric access method.
Cookies can be used for web access to identify and authenticate a user connecting to your website. For example, a visitor to your e-commerce site may be prompted initially for a username and password through their browser. Once authentication is completed, a cookie is stored in the local computer with an identity token that will grant authorization to their account.
Servers such as virtual machines and the applications hosted on the servers may also be required to authenticate with other applications. They use a service account and can authenticate using APIs, a form of application-to-application communications based on standard programmable interfaces such as XML and JSON.
Montgomery, T. (2016). CompTIA cloud study guide: Exam CV0-001. Indianapolis, IN: John Wiley & Sons. ISBN 978-1119243229
For this final piece to your cloud migration project proposal, in a 3 page APA-formatted paper address your security management plan for the cloud migration. For example, if you are migrating to a cloud storage environment, address how the ACL will be created and maintained. If you are implementing an IAAS environment, address how the cloud infrastructure will be secured, both electronically and physically. If you are implementing a PAAS solution, address how security controls will be included in the program interface.