The Masterkey Problem: How to block mayhem using API-driven access control

After tenure of a year or two at many companies, a senior engineer’s access level is often maxed out. He or she probably has full root permissions across the entire infrastructure. We call these privileges ‘master keys’ and, just like a building’s master key, they are very dangerous if they fall into the wrong hands.

Instead, privileged access should only be granted on a temporary basis. Sometimes this means requesting increased access from a manager, or a peer. But sometimes the increased access can be assigned from another input. For example, sudo permissions can be automatically granted and revoked in accordance with an on-call schedule. Or a Jira ticket must be open and approved before a user can log into a sensitive database for scheduled maintenance.

This talk will cover how to quickly and easily build API-driven access control into your environment and eliminate your “master keys”.