Successful Practices and Typical Cases
Successful Practices
First, regularly change login passwords. It is best if passwords include uppercase and lowercase letters, numbers, special characters and do not contain common English words. The administrator can enable the function of regularly changing passwords for specified accounts.
Second, follow the principle of least privilege. When authorizing a role to a member, please grant the role that just meets his work needs. For example, if a certain operation and maintenance staff member in your company only needs to view the load condition of all cloud hosts, then only grant him the “Read-only for Cloud Host” role.
Third, enable API access control, allowing only the export IP of your company to manage cloud resources through the API, not all IPs. You can enter the API product and set it in the API key.
Typical Cases
Xiaoming is a technical backbone of a certain high-tech company, who decided to start a business with a few old friends. At the beginning of the company, Xiaoming registered an account (devops@xnasa.com) on UCloud Global through your friend’s recommendation, tried cloud products like UHost, EIP, UDB, and after several evaluations, finally chose UCloud Global as his cloud service provider. And he officially renewed the UHost, EIP, and UDB that he had tried before for one year, so he enjoyed the promotion of buying 10 months and getting 2 months for free.
1、 Security above all
The hardship of starting a business is self-evident. Seven or eight people nest in a room of tens of square meters. After a few months of hard work, the new product finally comes out and the outside world’s reaction is not bad. Considering that the possibility of the account password being leaked is very high, and once it is leaked, the impact on the company’s future is unimaginable.
After consulting UCloud Global‘s technical support, Xiaoming understood that UCloud Global provides TOTP dynamic secret security and mobile phone scanning code login two-factor security login service. After the two-factor authentication service is opened, when you log in to UCloud Global with an account password, you will be asked to enter an authentication code. The system determines that the authentication code is valid before you can get access authorization. It is recommended to use the dynamic token binding function of UCloud Global APP, or you can use other dynamic token tools based on the TOTP algorithm to bind your account, such as Google Authenticator, FortiToken, and the WeChat applet “Two-factor Authentication Code”. Logging in by scanning the code is even more convenient. Every time you log in, you can log in by scanning the code with the UCloud Global APP.
After a few considerations, Xiaoming chose the scanning code login.
2、 Multi-person cooperation, enjoy working together
After several optimizations and upgrades to the product, the number of users increased, and the company entered a rapid development stage. The development team had dozens of members. It was inconvenient and insecure for everyone to use devops@xnasa.com to manage cloud resources.
Xiaoming therefore activated the account and authority management service, created an account for each partner who needs to manage cloud resources, and added these accounts to the only project of the devops@xnasa.com account, “Project X”. This way each partner could use their own account to log into UCloud Global‘s cloud control console to manage cloud resources. Xiaoming just needed to view the operation log to know what operation each partner performed on which resources.
Subsequently, Xiaoming created other roles on the basis of this initial role of project administrator, and granted them to corresponding sub-accounts. Each role had specific permissions. For example, the role of a web developer only had viewing and operating permissions for the UHost product, but not creation and deletion permissions. If a certain account had the role of web developer in “Project X”, then this account would only have viewing and operation permissions for the UHost product.
3、 The management of multiple entities, no big issue
In the process of implementing “Project X”, a few partners of Xiaoming’s team identified a rising market opportunity and named it “Task Y”.
For business security, Xiaoming created a new project and named it “Task Y”. He moved the partners responsible for “Task Y” into this project and since these partners were no longer responsible for Project X, he also moved them out of “Project X”.
This way, the partners responsible for Task Y could only manage the cloud resources used to deploy Task Y. Task Y and Project X were under different basic networks without affecting each other.