Compliance Meets Security: How Does Kaleido Simplify Separation of Duties?
In alignment with security best practices, no user should be given sufficient privileges to misuse or substantially disrupt a system on their own. For example, the person developing a smart contract/chain code should not be the same person who has the privilege to promote said contract/code to a production environment.
To support an appropriate level of separation of duty it is important to configure your Kaleido organizations, networks, and environments correctly. Kaleido supports a static method of enforcement of roles. Specifically, Kaleido permits customers to define organizations such that there is a logical separation between them. Like any security model in the cloud, there is a fair amount of shared responsibility. Kaleido provides the means to separate your production and non-production resources but, if you add the same user into the organizations which are used to provide separation, you may be creating a conflict with your SoD matrix.
In Kaleido, the strongest level of access control is managed at the Organization level. An organization is a top-level resource that can access the Kaleido platform and is a prerequisite for any administrative operations (environment creation, node generation, etc.). Typically, an organization is mapped to a business entity or “company” but, when configuring for isolation of resources between production and non-production it is used more along the lines of “department” or “division.” Depending on the consortium membership approach , resources in a blockchain network exist within the purview of either a single organization or multiple organizations. An organization's administrator can extend invitations to additional users, whereby they are granted the same level of administrative authority. An organization’s admin also needs to ensure that cross organization networks do not violate their SoD matrix.
Configuration example
This section walks you through a sample configuration that consists of two organizations and highlights additional considerations for configuration and operations. Company X, a fictitious company, has determined that it needs to have strong isolation between its production and non-production systems. As such, they have determined that they need to create two organizations: Non-Production and Production. The same principles shown here would apply for additional entities such as Demonstration or Tech Sales.
Setting up a Non-Production Organization.
When you first created your Kaleido account, you were prompted to give your organization a name. For the purposes of this document, we will assume that this is your Production organization. You will now need to add a new organization called Non-Production. After logging in to your Kaleido account, click on the user icon in the lower left corner of the UI and select Manage Orgs.
This action will load the Organizations page which will show you information about your default org that was created when you created your account.
In the upper right corner, click the button labeled CREATE ORGANIZATION.
In the Create an Organization panel, provide an appropriate organization name and make sure your Root organization is correct (it is automatically selected.) You may also optionally specify a home region and contact email.
Once the organization has been created, you, as administrator of both the parent org and the child org can continue with configuration of the new organization or you can add users to the new organization and give them permissions to define their own resources. These new organizations are referred to as sub-Organizations.
The construct below an organization in the Kaleido hierarchy is a Network or a consortium. This is a little confusing since, in a decentralized environment, a Network may contain members from multiple organizations. You can imagine that the web gets a little more complex, when thinking in decentralized terms, of having decentralized development, test and production environments. That complexity is out of the scope of this document.
For the sake of simplicity in illustration, it is assumed that the Organization here is operating as a proxy operator and has authority over all sub-Organizations, Networks and Environments.
Setting up a Development sub-Organization Resources
The Network
Now that you have successfully created a new organization, you can now define a Network. A network is a billable business construct in that for every network you create, there will be a corresponding back-end service deployed to your Kaleido account which shows up on a monthly Kaleido invoice as “Membership.” You typically do not need more than one Network per Organization. To define your Non-Production network, make sure that you select “Non-Production Organization” (or whatever you named it) from the dropdown list in the top right corner of the home panel.
You will notice that we have a parent level Org called Bob’s Kaleido Org as well as a production and a non-production sub-organization. Bob’s Kaleido Org does not contain any resources at all. It is solely the billable organization into which both the Production and Non-Production Organizations roll up.
After selecting the Non-Production Organization from the drop-down list you will be taken to the home screen. The first time you do this you will see a screen like this one:
Go ahead and click on the CREATE NETWORK button. Provide appropriate details for the network in the following screen. Remember that the Network Object maps to a Membership object and that, in a decentralized Network, there may be multiple organizational memberships. That is not the case in this example since this is a simple “proxy operator” network.
Define the home region for the network that meets your preference.
Specify in which additional regions Environments and nodes can be created and click FINISH.
The Environment
The Environment object in Kaleido represents the actual blockchain that is being created (or, as is the case with Hyperledger FireFly Supernodes, the set of components, including a blockchain, that are to be created.)
Start by creating an Environment with whichever requirements you have and give it a meaningful name such as Development Environment. Refer to the Kaleido documentation for details on the options available when configuring the environment.
When you are done setting up the environments to meet your needs, when you go to the home screen of your Non-Production Organization you will see something like the following:
领英推荐
You will see that this Network which is in the Non-Production Organization has 3 environments, Development, QA and Demonstration. It also has only 1 membership. If you had modeled production and non-production as Networks, you would now have at least 4 memberships (Production, Development, QA and Demonstration) for which you would be incurring a monthly membership fee.
Next steps
Now that you have your sub-organizations, network and environments set up, you can add nodes, deploy smart contracts, etc. while having assurance that whatever you do in the non-production organization will have no impact on your production organization.
Adding Users to a Suborganization
Once you have your sub-organizations in place you can manage them by clicking on the user icon in the lower left-hand corner of the home screen. Choose Manage Orgs.
This will show you all the sub-organizations under your main organization.
In the ‘card’ for the Non-Production Organization, click on MANAGE ORGANIZATION. ?This will take you to the Organization Dashboard where you can view a variety of aspects of the sub org and manage users. Click the link in the Users card labeled MANAGE USERS.
This brings you to the panel where you can add users.
Click on the button labeled ADD USER.
Specify the email address of the user and select the role.
The available roles are: Admin, User and View Only.
Admin has full control of the sub-organization, including the ability to add and remove additional users.
User has the ability to manage most components, including the creation and deletion of nodes, environments, etc.
View Only is only able to view components, configurations, etc.
Added users will be sent an email prompting them to sign in from [email protected] . Note that when they sign in for the first time, they will be put into a parent organization of their own. They will need to select the organization to which they have been invited from the Organization drop-down menu.
NOTE: Users can be added to multiple orgs so be careful. If you add the same user to Production and Non-Production sub-orgs with the same level of privilege, you are likely in violation of a separations of duty matrix.
NOTE: Don’t like user interfaces? Everything laid out in this document can be performed using APIs documented at https://api.kaleido.io
The user will receive an email invitation which prompts them to create an account and join the organization.
Additional resources
Separation of duties in business networks involves dividing tasks and privileges among various roles to minimize the risk of fraud or error. Best practices include identifying and separating conflicting roles, implementing the principle of least privilege, and ensuring that no single individual has control over all aspects of any critical transaction.
Regular monitoring and auditing are vital to detect any anomalies, and Kaleido makes this easier with blockchain reporting and monitoring tools. To learn more about how you can build a consortia on Kaleido, schedule a talk with one of our solutions architects: Nick Gaski or Bob Blessing-Hartley (he/him) .