Public cloud storage providers such as Amazon S3, Google Cloud Storage, and Rackspace Cloud Files provide practically infinite storage capacity for enterprise data centers. A secure scale-out of corporate data storage by using public cloud providers requires traversing the public-private cloud boundary. Identity management is a crucial aspect of enabling this boundary traversal for companies that want to retain control of their identities regardless of the public cloud storage provider they choose.
For a public-private hybrid cloud storage model to successfully exist, the following three conditions must be met:
- High-performance, seamless data movement between enterprise and public cloud providers.
- Identity and access control of applications and users across public-private cloud boundaries.
- Granular encryption of data that prevents intentional or unintentional enterprise data leak.
Forum Sentry Cloud Controller meets all three conditions with extensive integration capabilities that virtualizes corporate data for external cloud storage. Deployed and managed by the enterprise, Forum Sentry Cloud Controller provides secure, built-in integrations for the major cloud storage providers, enterprise identity management systems, and strong, granular encryption technology. In this article, we show how to setup identity and management control for accessing Amazon S3 cloud storage. To follow this article, please:
- Install Forum Sentry Cloud Controller
- Configure Users, Groups and ACLs
- Create Amazon S3 account and obtain AWS Credentials (AWS Access Key Id, AWS Secret Key)
Using the web-based administrative console for Forum Sentry Cloud Controller, navigate to GATEWAY–>Network Policies–>Amazon S3 and configure the policy as shown above. You can configure SSL policies for both outbound connections to Amazon S3 and inbound connections to FS Cloud Controller by following Key Generation and SSL Policies for Securing your APIs.
With the outbound connection to Amazon S3 configured, next the enterprise listener policy is configured using GATEWAY–>Network Policies as show in the screenshot above. Notice that the password authentication has been enabled.
Next, select GATEWAY–>REST Policies to tie enterprise listener to Amazon S3 as shown above. This additional step provides the flexibility to tie different enterprise application (HTTP, FTP, JMS) and storage (NFS, iSCSI) protocols to Amazon S3 so as to virtualize the corporate data into a unified public cloud storage container.
We are now ready to lock down access to cloud storage by associating TestACLNarrow to the Enterprise-to-Amazon Virtual Directory shown above. Simply click on this Virtual Directory and select the ACL in the ACL Policy drop down list. Once selected, the storage to Amazon S3 is now secure and cannot be accessed without providing credentials (testuser1 or testuser2; password) that are validated by Forum Sentry Cloud Controller. Point your browser to the Virtual URI shown in the screen above (your IP address or Domain Name will be different). The browser now displays a request for user id and password before allowing access to Amazon S3 storage via Forum Sentry Cloud Controller.
This exercise uses on-board identities, however, the functionality is fully available for off-board identity stores such as Microsoft Active Directory, LDAP, Kerberos, CA SiteMinder, RSA ClearTrust, IBM TAM and any custom identity store deployed by the enterprise.