...
More control over incoming changes
Fewer if not minimal lateral movement risks
A tight grip on the principle of least privilege as no human needs privileged access anymore except in escalations
An easy to get audit trail
A modern-day approach to collaboration
| Gliffydrawio | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Note that the more the client automates, the fewer of the roles and permissions outlined below are needed. How much of the setup is automated from the client side also has a pricing and timeline impact as human actions always take longer than those of machines.
...
This separation targets primarily https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/445972604/Reference+Architecture+CMT#Risk-based-approach and is not only decoration.
...
| Drawio | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Unique advises segregating resources at a resource group level using the following groups:
Group | Content | High-level permissions |
|---|---|---|
Main | Primary resources needed to run | The responsible party (can be Unique or the client, see Responsibilities) mostly works within this resource group if ever. |
Sensitive | All customer data which mainly consists of prompts and files, all the embedding of uploaded files, and encryption keys. | Unique should have the least possible privilege (and only JIT) of to this group. Actually, no human should have too much access to this, see Automation. |
Audit | CentralisedCentralized, tamper-safe audit logs of | Unique and their workloads can only one-way emit into this resource group, there is no way to read. Modifications to this resource group should preferably only be made by the client or via Automation. |
Vnet | Networking setup, whereof where some limited internet access is needed to pull the content of https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436536544 | Naturally, most clients prefer to administer this part of the infrastructure themselves as it has a colossal security impact, if Unique should take care of it, the Automation approach is recommended above all manual actions. |
Terraform | Store terraform states. | Few individuals with a specific role or the Automation should have access to this group as here the state of the whole infrastructure gets saved. |
...
The content of the main group, primarily based on https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks-pci/aks-pci-ra-code-assets. Besides the Infrastructure requirements, some more resources are recommended to be deployed in order to run 
.
...
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
To understand the content of this section, https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles must be read and understood. |
...
| Drawio | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
|
| Drawio | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
|
...
Author | See Parent |
|---|