Reducing “Mixtape to Master Key” Scenarios: How to block the Dark Army from mayhem using API-driven access control presented at BSidesSanFrancisco 2017

by Aren Sandersen,

Summary : After tenure of a year or two at many companies, a senior engineer’s access level is often maxed out. He or she probably has full root permissions across the entire infrastructure. We call these privileges ‘master keys’ and, just like a building’s master key, they are very dangerous if they fall into the wrong hands.
Instead, privileged access should granted only on a temporary basis. Sometimes this means requesting increased access from a manager, or a peer. But sometimes the increased access can be imputed from another input. For example, sudo permissions can be automatically granted and revoked in accordance with an on-call schedule. Or a Jira ticket must be open and approved before a user can log into a sensitive database for scheduled maintenance.
This talk will cover how to quickly and easily build API-driven access control into your environment and eliminate your “master keys”.