So-called agile environments, such as virtualized, cloud-based (e.g., private, hybrid, public), and other environments defined, provisioned/de-provisioned and managed by software, just-in-time or rapidly, need to be properly secured against unauthorized access/exploitation, and should have suitable security measures in place to ensure business continuity, compliance, and governance by proactively mitigating risks/threats resulting from both malicious attacks and inadvertent errors. One such measure is to have rich, fine-grained authorization policies in place (e.g., role-based access controls and/or attribute-based access controls) to suitably limit/restrict administrative access to resources and operations on them, where an administrator may be a human, a computer system, or combinations of both. Existing security platforms and cloud management platforms offer such abilities, although in limited form. For example, existing systems are restricted to use with environments that are homogeneous in nature, where an enterprise relies only on one cloud virtualization technology and/or only one cloud provider for all its needs.
Recently, however, enterprises have moved away from homogenous environments towards heterogeneous and/or multi-cloud environments. Such trends in resource deployment reflect the fact that cost savings, operational efficiency, security, availability, and reliability are all enhanced through such means. In addition, emerging technologies such as application containers and software defined networking (SDN) further simplify the adoption of hybrid (e.g., multi-cloud) environments.
The trend to using heterogeneous agile environments has created a new set of challenges for administrators and auditors. With respect to managing authorization policies, administrators must now understand the different tools used to manage such environments and suitably configure authorization policies using such tools. Because the different environments employ different user interfaces, application programming interfaces, and resources, the administrator's task is made significantly more complex than when homogeneous environments were the norm. To make matters worse, there tends to be no consistency in terminology or representation of any given resource across different agile environments. For example, a virtual machine so termed in one environment may be classified as a server in another. An inexperienced administrator may fail to recognize these entities perform similar functions and, accordingly, may leave one or the other exposed or unusable through improper configuration. Further, operations that can be performed on resources may not be the same across the different environments, and, even where they are the same, the operations may be named differently, again presenting difficulties for the administrator. As if this were not complex enough, the granularity of the operations that can be performed on different or even similar resources in different environments may diverge significantly, such that consistent separation of duties may not be achievable or overly complex to configure correctly.