Introduction
Now that you know how to provision and manage cloud resources, the next step is to learn how to manage who has access to those resources. First, we must be able to identity each user who accesses an organization's cloud resources. Second, administrators must have the power to define permissions so the system can decide whether to allow access to occur. "Access" could mean modifying a VM, deleting a VM, or simply determining whether the VM exists.
The security goal is to enable users to access the resources that they need to access to do the job functions assigned to them and nothing more. A database administrator might require permission to add a table to a database that she owns, but she probably shouldn't be allowed to modify (or delete) the VM that hosts the database or the network the VM is part of.
The concept of digital identity -- assigning an identity such as "Bob" or "Alice" to a user who accesses a cloud resource or logs into a web site -- is multifaceted, and many different solutions exist. The "right" solution is scenario-dependent. For example, a public-facing web site that requires users to log in to access certain pages, such as ones containing paid articles, needs an identity system that allows users outside the organization to create accounts and log in. By contrast, users who access an organization's cloud resources should be identified by the organizational accounts assigned to them by their IT staff and outside access must be controlled carefully.
In this module, we'll examine the core concepts behind identity in the digital realm. We'll discuss the kinds of entities that can be assigned identities, including users, groups, and applications. And we'll learn about techniques for extending a person's identity so that, for example, Alice can use her organizational credentials to access on-premises resources and cloud resources.
Finally, we'll introduce the concept of role-based access control (RBAC) and see how it's used by cloud service providers. RBAC allows customers to govern access to the resources that they provision. It's the primary mechanism cloud administrators use to apply permissions to cloud resources and define what users are and aren't allowed to do with individual resources or groups of resources. And it will play a central role in your future as a cloud administrator.