chatops_用于生产访问控制的ChatOps

chatops

Access control is a key component of data security. In simple terms, access control means regulating who has the ability to access resources in a computing environment. At Policygenius, we implemented an access control policy around our Google Cloud resources following the principle of least privilege.

访问控制是数据安全性的关键组成部分。 简而言之，访问控制意味着调节谁有能力访问计算环境中的资源。 在Policygenius，我们遵循最小特权原则围绕Google Cloud资源实施了访问控制策略。

The principle of least privilege promotes minimal user privileges on computing resources, based on users’ job necessities. Ideally, each user should have the least authority necessary to perform their duties. This helps reduce the “attack surface” of the computing resources by eliminating unnecessary privileges that can result in network exploits and system compromises.

最小特权原则基于用户的工作需要，在计算资源上促进了最小的用户特权。 理想情况下，每个用户应具有执行其职责所需的最少权限。 通过消除可能导致网络利用和系统受损的不必要特权​​，这有助于减少计算资源的“攻击面”。

权衡我们的选择 (Weighing our options)

The main requirement was to have an approval workflow where an engineer would only be able to access the Google Cloud Platform (GCP) resources after management approval and only for a limited amount of time. Additionally, we wanted to log all of the related activity and store them for auditability.

主要要求是要有一个批准工作流，工程师在经过管理批准后，工程师只能在有限的时间内访问Google Cloud Platform(GCP)资源。 此外，我们希望记录所有相关活动并将其存储以供审核。

One potential solution was using an emergency access account aka break glass account. We looked into HashiCorp Vault’s open-source solution to safeguard the shared account’s password. This solution does not offer an approval workflow, one of the key requirements of our endeavor. Also, a common account would make it challenging to trace actions back to an actual user.

一种可能的解决方案是使用紧急访问帐户(也称为破玻璃帐户)。 我们研究了HashiCorp Vault的开源解决方案，以保护共享帐户的密码。 该解决方案不提供批准工作流程，这是我们努力的关键要求之一。 同样，普通帐户会使将操作追溯到实际用户变得颇具挑战性。

Another suitable option was Gimme, an open-source access control solution developed by Spotify. Google recently released a feature called IAM Conditions (beta at the time) which gives us the capability