Security tools available to cloud service users
Authentication systems
The following types of accounts are currently available to Nebius AI users:
Google accounts
For authentication with your Google account, use your username and password or your PIN and the Google Authenticator app if two-factor authentication is set up.
Federated accounts
If an identity federation is used, the IAM service accepts a signed SAML token from a third-party identity provider. This token contains information about the authenticated user.
SAML token cryptographic signature keys are stored by the customer's identity provider. Therefore, it's the customer's responsibility to manage, use, and store the key safely. The public part of the key used for verifying the SAML token signature is set by the customer when configuring the identity federation and is then stored in IAM.
After receiving and verifying the SAML token signature, IAM creates and extends a user session using cookies. IAM stores and manages the cryptographic keys used to control cookie integrity.
Service accounts
Service accounts are a special type of account for accessing Nebius AI resources on behalf of an application. Service account authentication can be done using the following types of keys:
- Authorized keys: RSA keys that are generated in IAM. Such keys can be downloaded by the user only once after their creation. IAM only stores the public part of the key. Its private part stays with the user. It is the user's responsibility to keep the private part safe. See Authorized keys.
- Static keys used to access Object Storage. Copies of static keys are issued to the user immediately after they're created by IAM. Static keys are stored in IAM and used to check the integrity of requests to Object Storage. See Static access keys compatible with the AWS API.
Network security
To protect the cloud network infrastructure hosted in Nebius AI, we recommend managing incoming and outgoing traffic and dividing the virtual networks of the Nebius AI environment into segments based on tasks.
For incoming traffic management, you should use a load balancer and VMs without public IPs. This reduces the attack surface and limits traffic to VMs using the appropriate protocols.
For outgoing traffic management, we recommend using VMs without public IPs and granting them internet access through a NAT instance that functions as a network gateway or proxy server.
For access control in Nebius AI, you can create a separate network for each of your development teams or each environment (development, testing, and production). With this approach, we recommend using network device images available on Marketplace to link networks to each other and control network flows between segments.
We also recommend connecting to your local infrastructure or the internet using a VPN instance.