Authentication & Authorisation: Best Practices in the Cloud

September 28, 2021

Season 1, Episode 1

The episode features Jon and Jay, who delve deep into the best practices in authentication and authorization.

In This Episode, You Will Learn: Jon and Jay discuss the intricacies of authentication and authorization, emphasizing the importance of establishing Single Sign-On (SSO) from the outset. They also touch upon the challenges of authorizing and managing access for multiple teams, especially considering the differences among the three major Cloud vendors.


Themes Covered in the Podcast:

  1. Importance of Single Sign-On (SSO): The episode underscores the significance of SSO and the utilization of a single identity from the beginning. This approach simplifies the onboarding and offboarding process, ensuring that access to various services is streamlined.
  2. Managing Access for Multiple Teams: Jon and Jay discuss the complexities of authorizing and managing access for diverse teams. They highlight the variations in processes among the top three Cloud vendors.
  3. The Evolution of Cloud Vendors: The conversation touches upon how different Cloud vendors, especially Amazon, have evolved their services over the years. The introduction of concepts like organizations in Amazon is relatively new, and the episode delves into how these changes impact authentication and authorization.
  4. Role of Policies in Access Management: The duo discusses the role of policies in managing access. They emphasize the need for centralized management of roles at the tenant or root account level.
  5. Challenges with Continuous Integration (CI): The episode touches upon the challenges associated with CI, especially when it comes to managing permissions. The discussion revolves around how CI has transformed the way permissions are managed and the importance of having granular control over these permissions.

Quick Takeaways:

  1. Single Sign-On (SSO): A system that allows users to log in with a single ID and password to any of several related, yet independent, software systems.
  2. Authorization: The process of giving someone permission to do or have something.
  3. Authentication: The process of recognizing a user’s identity.
  4. Cloud Vendors: Companies that provide cloud computing services.
  5. Policies: Defined approaches or courses of action intended to influence and determine decisions, actions, and other matters.
  6. Continuous Integration (CI): The practice of merging all developers’ working copies to a shared mainline several times a day.
  7. Tenant: A group of users who share a common access with specific privileges to the software instance.
  8. Role-Based Access Control (RBAC): A policy-neutral access-control mechanism defined around roles and privileges.
  9. Transitive Access: Access that is passed or transferred from one user to another.
  10. Service Accounts: Accounts used by applications or services to interact with operating systems or other software.

Follow for more:

Jon Shanks: LinkedIn

Jay Keshur: LinkedIn

Jon & Jay’s startup: Appvia


Transcript

0:00sure how how do you do it well I do I have this guy called Jake speed dial

0:06what I tend to do is just ring this guy he’s under like Cloud security what should I do all right yeah that’s just

0:11what I have under my phone yeah so I’ll just speed dial security guy ring that guy

0:23hey everyone Welcome to Cloud unplugged this is season two episode three we have

0:30returned back to talk around the landing zones um Jay has had time to research the

0:36answers from the previous episode um I’ve also had time to uh figure out

0:42that I said the wrong thing in in Murphy’s Law and Moore’s Law so which is quite relevant I guess so Murphy’s Law

0:49is anything that will go can go wrong will go wrong do you want to look at it look at my phone again it can’t go wrong

0:57we’ll go wrong yeah I think you meant and so I was trying to figure out which law it was and that went wrong it’s

1:04actually Moore’s law that I was referring to which is the number every two years the number of uh transitors

1:12capacitors or whatever doubles every two years right okay well I can’t remember what was it in relationship

1:19a speed of like computing power and how and chip everything else and how we are

1:26do we just have more opportunity because there is greater advancement in technology right I see which is great

1:32that’s not what we’re talking about today Jay is it so you’re trying to get out of giving us answers

1:38to research so what we want to do is try and focus on some of the things we spoke

1:44about so just to recap um we made lots of

1:50um decisions I think for people saying if you if you have certain element of scale

1:56you’ve got multiple teams you know those teams have different data requirements

2:01or just just data around those delivery teams anyway for those business units that you shouldn’t share things

2:08obviously because the risk is going to go up yep blast radius increases if something was to happen so split those

2:14out split the environments out ideally as well simply put non-production production but there could be more yeah

2:21um but I guess that’s a good starting point then we decided that hubspoke probably

2:27was better just because of the centricity exactly networking needs to happen somewhere it was peering you can

2:32end up in a bit of a peering mess not knowing what’s paired with what eventually I mean you might even have

2:38multiple hubs you could have could have multiple of hope so you know it could be anything because I guess with when it

2:44comes to net network connectivity there are limitations you know you can only have a certain number of peering

2:50connections or a certain um Range uh or or um you can only limit

2:57the roots of the I mean the the top kind of uh sitter of your different ranges

3:03that you have so that might be a limitation itself um there are you know numbers are finites right yeah yeah yeah true yeah

3:09so I guess hubspoke you could have many hubs yeah many spokes but bare minimum

3:15just do one yeah exactly um and kind of get going with that then we were talking

3:21through policies was just mutating policy this is a very long recax pretty

3:27much podcast um and an application um kind of like Regional blocking maybe

3:35you don’t want people in certain areas data sovereignty yeah compliance type policies

3:41um and then we’re talking about applications and like how maybe you could secure that

3:46um which you could probably do with some policies as well to a point until you get very specific into the apps

3:52um there’s other things and you were gonna like obviously this is a big topic and we

3:58needed to do it justice I think was how you ended it so

4:03identity user management we haven’t really spoke about yeah I guess that’s a big key piece of

4:09cloud isn’t it should we should we start there so let’s let’s break down what it is um that uh authorized authentication and

4:16authorization what that means so obviously authentication is getting you

4:22know knowing who you are so I log into something um what is that identity that is

4:29connected with me as a person um that’s authentication and authorization do you want to take this

4:34one yeah this is what you’re allowed to do exactly that so but we’re assuming then because this is aimed more I guess

4:41that people who are going to be in companies yeah so our assumption is that b to B’s I guess

4:47but I guess businesses that have they’re bound to have an email address and a domain on that email address yes

4:53so they’ve already got some identity because people need to go and get emails they’ve got authentication yeah so yeah so they’ve got an identity and a

5:00business already that they can use to authenticate with and and best practice is not to um have you know more than

5:07um that one identity right um so now you have contact a single sign-on

5:13um and kind of extending your use of that identity into the cloud providers

5:18and and everything else that that person is touching um and the benefits I guess for people

5:24I mean single sign-on most people are familiar with you can sign on to things with your Facebook that’s an active

5:29single sign-on but then it also means if you’re off boarding a person and you’ve used the same you only have one identity

5:35as in to authenticate with so you might have many services but you only have one

5:40identity that you’re gonna um authenticate with those Services too that means onboarding and off-boarding

5:46means it’s super simple you can delete that person or disable that person now they don’t have access to anything

5:51across the board multiple identities for very specific Services way harder because it means you’ve got to go

5:57through every single service yeah identify whether that person still or does still or still does or doesn’t have

6:03access to those things essentially and who those uh different identities are even related back to you right so

6:09because you’ve got a one-to-run relationship not only do you have to figure out what how you’re managing the

6:15map of those relationships if you’ve got one to many but then you know whether they should have least privileged access

6:21to those things at the right time so it’s it you can tie yourself into a lot of mess so

6:27um authorization uh so I guess when you’re when you’re you know we’ve kind of obviously said that single sign-on

6:35um having that one identity using that identity and Cloud how are you going to do it well you obviously need to utilize

6:42oh yeah yeah I mean sure how do you do it well I do is I have this guy called

6:47Jake speed dial what I tend to do is just ring this guy he’s under like Cloud security what should I do oh right yeah

6:53that’s just what happened to my phone yes uh just speed dial Cloud security guy ring that guy and then he starts

6:59telling me about do you know authentication authorization differences and I’m like absolutely not what are you talking about

7:09[Laughter] but anyway so yeah authorization how do

7:17you what can people do I guess and I guess just a frame if you have lots of

7:22different accounts so we’ve already set the premise of some of the decisions we’ve all right so

7:28assume different each business unit has a team delivering it may have more than

7:34one team under the business unit but for simplicity’s sake let’s just assume it’s a one-to-one yeah each business unit has

7:39one project that project is one team that one team delivering a business application the and then each team has two accounts

7:47and non-production of production we could have more but we’re just keeping it simple so now access of varying degrees for

7:56teams to deliver in the cloud Tunes to um I guess access services in the cloud

8:02as well for themselves applications to access those Services what what is like

8:07where do you start then on managing authorization or access good question

8:13and and even the cloud um vendors and and you know when we talk about Cloud for the sake of these

8:20conversations we’re only going to talk about the top three right so Google Amazon and Azure

8:26um and they have different ways of doing it so with with um Amazon you know you can have a single

8:34account um and the concept of organizations is still fairly new

8:40um whereas with with Google and Azure um that’s kind of built into how they’ve

8:45designed their services so you have a single identity and that proliferates

8:51accounts with Amazon you know you’ve got loads of kind of services that have been tied together to give you a similar sort

8:58of outcome but that’s not baked in from the design of the the actual cloud provider itself so

9:05um yeah because they started obviously an account individual account level individual accounts it’s been around for

9:1020 years or whatever yeah exactly um so individual accounts and then you

9:15had this concept of organizations and what was that like five six years ago we always get this yeah I think probably

9:21yeah it probably will be about four yeah four or five years ago yeah I would say so so that was a way to um kind of vend

9:29and manage additional accounts and then you have SSO on top of that

9:34um to give you well SSO service catalog every all of all of and then control

9:40tower to give you a way to um vend accounts give people access to

9:45those accounts group manage Group Policy things like that um so when you talk about authorization

9:54um we’re I guess going to talk about the way to do it well not more different

10:00ways to do it um no because many there are many I guess the most we’re talking always talking about scale

10:07you know I guess that’s what we’ve got to factor in because anything anything that’s got a least amount of

10:15scale to it it’s obviously easy to manage right because less things less stuff to do anything that has lots more people lots

10:21more services the minute you kind of crank up the scale factor on these stuff the more difficult it becomes yeah for

10:28people because one thing psychologically you never want to be is a blocker

10:34only psychological just psychology physically physically terrified

10:40yeah not a psychological one at all I don’t mind physically stopping you getting to your laptops so you can’t do

10:47the work uh but yeah not so I guess just being seen in the business as somebody that is slowing delivery yeah

10:54um and that’s when bad decisions get made usually is under the pressure so people

11:01kind of succumbed to like oh I’ll give you all the access you need now and then I’ll sort it out later right right that

11:08kind of attitude like oh like we need to go we need to we need this now so yeah okay working this out granularly it’s

11:13going to be too complicated I’ve given you the permissions you can get on now I’m going to refactor that later other

11:19than ever doing the forget another level of permanent permission from ages ago like all these situations that kind of

11:24happen just to get people this goes out the windows people with permanent admin access they didn’t even realize or

11:30remember have it anymore exactly um how many times did that happen to you do you still have access to loads of places we should go through a little uh

11:38keep us to anything but yeah I mean definitely if I have I been in those situations absolutely have I made those

11:46decisions definitely would have made those decisions because you obviously want to enable the business and it’s

11:53always a trade-off on you know that’s I guess that’s why I was kind of saying it’s psychological because it’s

11:58humanistic people are asking you for something yeah you want to help them exactly right

12:04that’s part of the job so then you obviously do what’s helpful to somebody even if it’s not great for the business by accident like security

12:12cool so anyway you you authorization you’re talking about

12:19then what the right way to do it which is what’s the right way to do it so authorization uh you’ve got two things

12:27that need to authorize in principle uh users and service accounts or robots or

12:33you know principles service principles whatever you want to call it um but that is a user that uses

12:39um like me you what you know Joe blogs um or a service that needs access to

12:46another service in Cloud um so generally speaking

12:52um knowing the roles that the user should

12:57have in the organization is like the first step you know are these default roles that cloud come with the right

13:05um context or the right setup for my organization am I going to have sort of global global administrators or people

13:13that are only allowed to edit different users and and give them access or do I

13:20want to be in a bit more granular than that so do I want um you know am I going to protect say

13:26the network layer and say actually uh you can have access to everything apart

13:32from components um that touch networking because that’s

13:37men essentially and you can tie yourself up into a bit of a mess if you don’t really understand what’s going on there so

13:44defining those roles is probably the first thing to do and then making sure

13:49that those roles are managed centrally um so at the sort of tenant you know

13:56um root account level um that that type of thing um and then

14:01figuring out where it is that your or how it is that you’re going to give

14:07people access to those things so whether there’s some sort of identity governance inside your business where you you are

14:14you know um you’re getting approval for those for those groups if it’s managed through ad

14:22groups that you’re in or some sort of um centralized Department that give you

14:28the right access to be able to associate that to the role that you have does that

14:33make sense Yeah so basically you’re saying have some sensible defaults of like 80 20 rule 80 of people probably

14:40might use roughly the same types of permission um and then if you put people in those

14:46groups as you know they’re defining your IDP your identity provider but yeah a d

14:52AED whatever it’s going to be G Suite yeah um you can then put create the groups

14:58that map those people into those and then you can use the groups to then basically map to roles yeah um that

15:05you’re allowed to use roles that they might um they might have permissions yeah

15:11um but they might not necessarily be active at all times because you know one of the

15:16um one of the um principles I guess um of of doing

15:21things properly is having the least level of access um so least privilege so you might have

15:28a role that you can assume into um or escalate to but not necessarily

15:34have it active at all times um so you you then have to have a

15:40process in place to um and this cloud services obviously that help you do this um like privileged

15:46identity management or STS I guess in in in Amazon

15:51that give you the ability to assume into that role for a fixed amount of time and

15:57then you have access for that amount of time and then it goes away yeah yeah so the default access that you might have

16:03if somebody was to somehow take your identity yeah

16:09um would mean that their default permissions would not be obviously

16:15particularly privileged so exactly but then you’d have to then know the roles that they’re allowed to assume and then

16:21you could then just assume the role which could be privileged but but you might on on escalating that privilege

16:27you might have other controls to make sure that that person so let’s say your your laptop got stolen right

16:35um and um you’ve got some credentials saved on your I mean I’m not saying that you have this but yeah let’s assume that

16:41you do you’ve got some credentials saved on on your um on in your browser and

16:46you’ve gone gone into the Amazon console logged in as John Janks um and try to do it yeah this guy he’s

16:53got access to everything always logging in and doing crazy things and so you’ve

16:58gone in um and you’re trying to get access to the root account to do something crazy yeah because this guy’s you know he’s

17:05nuts yeah it’s like controllers um but you might have a policy in place

17:12this is kind of where the two you know policy and then access me meet each other so you might have a policy in

17:17place that says well any PR any escalation to this type of role

17:23um God like account you know um admin or whatever needs

17:28um a 2fa um so um multiple factors of authentication

17:33which generally is like an email or a phone or a code or something like that

17:39that you have to approve um and then you get another layer of security because

17:46um generally speaking you might also have another form of authentication on

17:51that device that gives you that code so you have like face recognition or fingerprint IDs so now you’ve literally

17:58got multiple you’ve got three layers of authentication before you’ve been at given access to the thing that you

18:06should have access to yeah because the authorization piece once you’ve got the permission you’ve got the permission

18:11yeah exactly right if you’re in that group yeah and yeah group is allowed to do things and that group is just allowed

18:18to do those things yeah but the um what you’re saying is because of that

18:23then you have to put most of the stuff needs to be on the authentication side

18:28to try and limit basically the exposure of that risk to make it as hard as possible yeah for

18:34that person to kind of gain so then so then you’ve got authorization then which is

18:40like people and then you’ve got authorization which might be applications that you need to then do things in the cloud especially nowadays

18:46with platforms sure you know lots of platforms kind of automate a load of things for people

18:52um so now you have like platform issues maybe I guess you could put it like that in terms of like what’s about

18:58CI being a prime example yep see I’m most of the time historically would have been quite privileged because you didn’t

19:05really know what somebody might need to be able to do yeah I guess I guess you know way back when you probably didn’t

19:11use least privilege in the way that it’s kind of implemented and made easier to use now so you’re spot on like you might

19:19only have one account that does CI in your whole business right I’m sure loads

19:24of loads of people have seen like Jenkins bot or something like that with like God permissions and everything but

19:30nowadays you can be really specific about um what uh what access that thing has

19:37which account which subscription which project whatever it has access on and

19:42then which resources it’s allowed to manage um with because there’s a dichotomy

19:49everyone’s saying hey Jay because that’s what they say hey

19:55supposed to be infrastructure is code what are you talking about is people don’t do all this stuff yeah exactly code does it CI does it right so you

20:02kind of got that thing like everything that you would have done yeah you no longer are doing supposed to be infrastructure as code right right so

20:08that means it has to mimic the amount of privileges that you would have needed I might have had to to automate the things

20:14that you would have done manually or to automate the things that you would have done who gives CIA who how does it get access

20:20that’s what we’re saying I’m just I’m just I’m just teeing it teeing up yeah constraint because it’s saying now you

20:26put all that effort in the humanistic side mfas right multiple devices protect

20:32the identity because like the authorization there then we’re saying well yeah but the person shouldn’t be doing that anyway yeah exactly right so

20:39okay cool right so the person isn’t doing the work then Ci or some form of automation system is going to be doing

20:45it most of the time it’s a continuous integration path and defined as code could be GitHub

20:52actions yeah could be anything so now knowing that then what privileges

20:57how do you Scope the Privileges for a thing that’s going to be doing lots of things good question

21:03um and where do you put the security then on that if it’s mfaide this

21:08magically I mean yeah exactly this is this is this could have its own like there are there are a few Solutions in

21:15this space um there’s uh I guess you can’t really MFA a robot right you kind of can but

21:22it’s a bit very very hacky yeah um so I think in general people tend to

21:28lock it down to IP address or location yeah but that’s not multiple factors of

21:33authentication that’s stopping um that’s that’s seeing other kind of

21:38metadata and stopping it if it’s not within within the frame of what they’re expecting um it’s not the same you can

21:46still assume raw which means that the access credential that that service account would have had

21:52so it’s authenticating it’s authenticating so that’s the bit we said yeah because the authorization thing as

21:58we were saying yeah I mean that’s just a set of permissions yeah exactly so either you need those or you don’t and

22:04you can scope them to the less amount of permissions you could possibly need but you’re still going to do the job that

22:10thing has to give the outcome expected to but you’re you’re I guess you’re

22:16um you know you’re limiting how much that thing has access to so you’re never gonna have say this is the click Jacob

22:23sure automation pipeline exactly so yeah

22:29which you know so it would have been anything that you would have had to have done done yeah has to now live in City

22:36eyes so me as a person um I might have access to Dev and prod

22:41right um I know crazy um stop this guy um control but um a bot

22:48um because those accounts are hopefully going to be localized just to those

22:54environments then that you’re not um kind of uh you don’t have Transit

23:00access let’s let’s get transitive access to both things so um you’re going to have different

23:05credentials in Dev you have different credentials in prod um you might have

23:12um you know different ways of managing those things you might even have different Runners

23:18um to give it another layer of security so that um any changes that you’re

23:23making in Dev come from a set of ips any changes that you’re making a product come from a different set of ips and

23:29then you’re you’re really kind of what that is GitHub

23:38is completely up to you yeah but there are ways to just get help actions allow

23:44you to run the runners allow for that you can run Runners inside your estate and then look in yeah that’s a way

23:50better model yeah definitely yeah so I think that’s the thing isn’t it I think things move to be more localized

23:56to where it’s going to run I mean lots of CIS change pattern more to that agent style model subscribe to something that

24:03subscription tells me what to do or maybe it’s just get them polling or watching for directly agents should only

24:09like they should always be dumb right yeah like um I I just need to connect to a thing

24:15that tells me what to do not I know what to do I have state I know you know I’ve

24:20got full access to all the things to be able to do everything you want me to do just tell me just tell me when yeah and

24:25I’m doing it I’m ready to go I I can almost guarantee you that anyone that is

24:32using Jenkins has got something like that has got access like has an agent

24:43[Laughter]

24:50so yeah if you if you’ve got um a Jenkins in your environment I guarantee that agent is not as dumb as

24:57you know these these other um kind of CI tools that actually do have those principles embedded um so uh

25:06dumb agents that don’t have any tooling on the agent that don’t have any access that just talk back to the thing yeah

25:12so anyway we’ve digressed we have digress but it’s important because we talk about permissions for something

25:18it’s the things things need permissions or someone needs permissions that’s what it boils down to which is always

25:24complicated yeah right it’s complicated to manage that properly and to get really granular is very time consuming

25:31to know exactly what somebody needs 100 of the time all the time is near on

25:36Impossible because things change if you’ve been agile and everything’s moving maybe the app is moved maybe

25:42there’s new services that it needs to consume so times that by however many things are evolving around you quite a

25:48difficult problem to solve so I think not just that not just times it by how

25:54many things are changing but how many things that you’re running that you don’t have an idea of That So like um

26:01nowadays there’s even ways to sort of profile um access or profile what runs in a

26:07container or profile what runs in your Cloud so there’s all this you know

26:13advancement that’s happened in Ai and ml that constantly looks at

26:20um what normal looks like and makes the state of the access that that thing has

26:27what it what it should have what it’s supposed to do and then it alerts on something outside of that Paradigm yeah

26:33but then if it’s check if the service is changing then that might be legit that’s obviously it could be legit yeah because

26:39things that you’re assuming that everything’s got to stay the same the anomaly isn’t an anomaly yeah I mean

26:46it is to it yeah but it wouldn’t be an anomaly say to the team but that’s a which isn’t that good it’s a good thing

26:52no no it’s a good thing no I’m not saying it’s bad I’m just saying no it’s it’s

26:57learning things about good behaviors and what’s abnormal and then feeding back in Obviously good but

27:04I guess if you’re managing access somebody’s got to manage your access is

27:09obviously a bit of a constrained team I think you just have to accept that there will just be risk it isn’t a problem you

27:14can just solve yeah right it’s not a solved problem used I think I do that I just solve it what

27:21um not sure you just solved it but definitely anomaly detection I think is good I think that’s like

27:27um guard Duty kind of does a similar issue yeah exact thing right it looks at patterns and then but I guess that’s

27:34another reason to isolate accounts because otherwise the audit on a shared account could be a bit chaotic right

27:39you’ve got loads of projects using that account that makes it really hard to kind of find a pattern in all of that

27:45because if teams are coming in I mean ownership and ownership yeah so so let’s say you know it found a thing uh that um

27:53means that whatever is in that account is vulnerable um who am I going to talk to me as a

27:59person that now knows that this thing has happened because God Duty or or Sentinel or whatever else has told me um

28:06who who’s that message go to who’s that who yeah which person yeah

28:11um yeah this account yeah and and that I guess is the like other lens of kind of

28:18making things making sure that things are isolated um is there’s not just a um uh

28:26technology specific reason for doing it it’s a an understanding of of ownership

28:32and risk and everything that’s attached to everything that’s running in that account yeah yeah because thinking

28:38I mean security is a big topic but the decisions you’re making Now define the

28:44future so unless you can get out of those decisions really easily exactly right so like once everyone’s live it

28:51might have been made loads of sense because you’re like yeah and you you could be like project one project two

28:57you’re the first person delivering helping deliver some of these projects and another project about itself and

29:02you’re like well I’ve kind of already got all the account I’ve got all the infrastructure really easy for me to like just give you some environment

29:08within this infrastructure I’ve already got yeah and timelines are short and you’re deaf at the moment so like why

29:13not like yeah let’s just get you you might not even go live with it right so you kind of start a little bit on that

29:19premise and then they are live and you’re like oh we’re kind of sharing these

29:32[Laughter]

29:38um and then before you know it obviously you’re kind of in this situation and then you’re right everyone permissions

29:45are all over the place because lots of different people need access to the accounts for different reasons profiling

29:51makes it hard and then you’re getting random something goes wrong who do you even inform who’s

29:57who’s responsible how do you find out what went what went wrong because there’s so much order in there to like

30:03tracing it back to nightmare not just things go wrong but because you’ve now got this weird like almost operating

30:09model of two P two teams in each account then they psychologically aren’t you

30:16know like you were saying earlier they’re not going to want to affect the the other account right so let’s say they spot something that’s a bit weird

30:24um because you do you know you go go for people’s accounts and you’re like Ah that’s a weird looking VM um it’s got

30:30you know default name and default weird Security Group attached to it that’s open port 22 to zero zero zero zero

30:37whatever I’m not going to question it because you know there’s someone else that’s in my account yeah yeah it must be okay it

30:44must be okay you know it’s fine yeah exactly whatever whoever did it makes sense to whatever it is they would needed to do and now you’ve literally

30:50just created like Shadow YT because you don’t know the confines of which the

30:57things that you own is being used or the risk to your project you’re working on

31:02exactly right well I’m assuming it’s fine but I don’t really know so basically just stop sharing accounts so

31:07we just put it stop it counts yeah if you’re showing them right now stop immediately

31:15those accounts right now um I don’t think I’ve ever heard you be so

31:22aggressive do it right now well it’s because you know you kept saying um everyone’s gonna get hacked last time it’s probably somebody’s attacked right

31:29now yeah but I think just for these reasons though sometimes just you know just stop doing the wrong things because

31:36it’s not but I you know I mean there’s and it sounds weird me saying this but

31:44on the empathetic side of things there’s so many different ways to do things and people don’t necessarily know oh no I’m

31:51not sending no that’s why we’re saying exactly don’t don’t do yeah don’t do it because it’s complicated and harder than

31:56it needs to be that’s it if you make a simple Choice up front then your life becomes simpler because everything’s

32:01isolated you don’t have those worries I actually know the order like just thinking a little bit up front you might

32:07not have known I’m not saying expect everyone to know obviously the experience counts for a lot well it’s moving it’s moving

32:13um so you know in that in in that um situation you talked about why it was easy for for that team two to

32:22use yeah that one novels yeah

32:27project One account right so um in in that scenario instead of fixing

32:34the right thing which is creating new accounts and making it really easy to onboard a new thing using

32:41um a known path or whatever they go for the shortcut which is just give me access to the thing that I

32:47already have yeah make sure it’s got full permissions as well please yeah exactly four permissions I’d you know you can’t block me yeah um so how do you

32:54fix that thing how do you make it really really easy to get accounts do you know just well

33:01they give you ways of automating them now so yeah right yeah so I mean it is easy so well within reason it’s easy

33:07obviously it’s it’s custom potential custom engineering you know or you can you there’s dsls

33:14around there in certain tools that support it I think your support most um but it’s still fairly new so even it

33:21is very new in some places some of the apis are actually really new yeah um and then some of them are less so new

33:27but aren’t the full thing I think in Amazon obviously control tower which didn’t have an API at all

33:32um but then there are ways of automating it but then the subscriptions and then there’s tenants you can automate those

33:38things um a lot of tenants descriptions yeah subscription sorry and resource groups

33:43um not tenants yeah um but yeah so I think and projects again obviously that sorts

33:49you can automate those in Google so it’s always been there Google had ways of doing it all of all of the automation

33:55was already there yeah but you still need to think up front I think these things these types of conversations

34:01because you can still be in a in a better model but with bad practice right because it

34:09doesn’t mean you might not have MFA anywhere right and just have an identity you know

34:16and that’s an identity oh yeah or you could even have a shared anything yeah again yeah even worse the worst of all

34:23Wells yeah sharing the identity so there are other ways to still not get it right but I think

34:28um yeah it’s best just to make those decisions so okay we’re covered account structure to a certain degree to

34:36user manager user management roles roles um and then policies I think policies we

34:43covered in the last episode I don’t think we talked about putting preventative policies in because everything we’re talking about

34:48infrastructure is called which people are going to be doing um and that is good obviously audit get

34:54preventative is a is an interesting I guess it’s fast right knowing you’ve made a mistake before you yes exactly

35:00before it’s become a problem it’s the thing isn’t it and that’s the good thing about testing first is test not just

35:07that it works but test the fact that it’s secure um and that it meets your policies and

35:12then if it doesn’t then you can change it so it does and then go and deploy yeah um you’ve made a decision about the

35:19thing early enough yeah yeah exactly that so you’re informed um and then centralizing policies

35:25is the other thing um which I don’t think many people do because obviously you can have policies

35:31that you know you can check things in the standards and there’s things like check off Etc but I think most might

35:38just have them local to their own repositories and not necessarily have centralized up so that it’s like the

35:44same policies are being checked everywhere and used everywhere and versioned in the right way and then

35:49you’ve also got I guess the onus of you know even if you do centralize the

35:56um this where those policies are stored you’ve now got the onus of the teams to

36:01implement the check against those policies on every single thing that they do right so there’s so many different

36:07layers that aren’t necessarily uh enforced where this could go wrong yeah

36:13there is um so it’s a it’s another big topic that I guess we need to oh

36:18[Laughter] it feels like you know you uh have some

36:26gaps in this I don’t know I mean you know we all know that you’re sharing your identity I think that’s covered on

36:31I actually have uh John Shanks pass one two three um

36:40or change me with a exploration Market yeah and a three and a three yeah for

36:45the me yeah yeah um yeah okay so I guess there’s more topics

36:51I don’t think we’ll cover we can cover this at that one in another episode yeah um and talk more about those things but

36:58um cool I guess it’s been good to talk about security Landing zones hopefully people found some value in some of the

37:04things we’ve said if you’ve got questions please reach out as well yeah things you didn’t even agree with like

37:09Murphy’s Law be good to hear from you actually so if you do have anything that um you know

37:16you want to correct me or John on because you know we’re human infallible um or you’d uh just like to like for us

37:23to talk about something that you’re interested in give us a shout cool obviously in cloud and security and that

37:29type of world yeah all right great thank you I’ll speak to you soon bye bye