- Network layer. Without meeting the entitlement rules it may not even be possible to "see" (i.e. Ping or route) to the cloud system. The entitlement rule may also direct access to particular interfaces.
- System layer. The entitlement rules may define the protocols that are permitted to access and modify systems, such as terminal server vs. web.
- Application layer. The entitlement rules may map Identity and/or Attributes to functionality provided by a specific application, such as being presented with a reduced set of menus or options.
- Process layer. The entitlement rules can be used to define the processes. (or functions) that can be run within an application. Entitlement may also define that enhanced functions (such as transferring money out of the ecosystem) need additional verification (which may be obtained directly or derived in the background).
- Data layer. The entitlement rules may limit access to areas of the data and file structure or even individual files or fields within files (e.g., in a database). At a more advanced level, entitlement could be used to auto-redact documents, such that two users accessing identical documents would view different contents (e.g., constructing a specific dynamic view of a database table).
The entitlement process starts with the customer to turn business requirement and security requirements into a set of entitlement rules. This process will define the identities and Attribute required to be able to evaluate the rules. These rules in turn drive the authorization/access system.
Reference from CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3.0.
沒有留言:
張貼留言