eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue


Page 12 of 32

assets in the AWS account". Therefore, it is recommended that control of this degree of security criticality should be divided among multiple individuals within an organi‐ zation, in a manner such that no individual retains enough control over IAM to "rewrite themselves to root. The use of roles is recommended for security-sensitive capabilities, as the act of assuming a role generates a set of ephemeral credentials using the Security Token Service (STS) and these credentials - being a token, an Access Key and an Secret Access Key - are needed to make API calls in the context of the role. Multi-factor authentication Or MFA, two-factor authentication, or two-step verification, is an approach to authentication, which requires the presentation of two or more of the three authenti‐ cation factors. A knowledge factor (something only the user knows) A possession factor (something only the user has) An inherence factor (something only the user is) After presentation, each factor must be validated by the other party for authentication to occur. Two-factor authentication is not a new concept, having been used through‐ out history. When a bank customer visits a local automated teller machine (ATM), one authentication factor is the physical ATM card the customer slides into the machine (something the user has). The second factor is the PIN the customer enters through the keypad (something the user knows). Without the corroborating verifica‐ tion of both of these factors, authentication does not succeed. This scenario illustrates the basic concept of most two-factor authentication systems: the combination of a knowledge factor and a possession factor. Multi-Factor authentication (MFA) in cloud. Several cloud service providers offer multi-factor authentication. In either soft (Vir‐ tual) MFA or hardware (Physical) MFA's such as RSA or Gemalto and U2F (Universal 2nd factor) devices: Virtual—MFA's can be used in your smartphones, tablets, or computers. Most Virtual MFAs use an open Standard Time-Based One-Time Password (TOTP) algorithm. TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash func‐ tion to generate a one-time password. Identity & Access Management (IAM) | 11

Articles in this issue

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud