As a team and the number of concurrent projects grows, so does the problem of maintenance, security, and compliance of their environment. Even if managed correctly, work in a shared environment has a side effect – a combinatoric explosion of possible interactions, having negative impact on stability, operability, and security. We turn to the good old practice of segmentation to the rescue. But in the cloud, the unit of segmentation is not the network – it is the account. So, we decided to provide micro-accounts as an internal service. It is intended to be flexible and take care of heavy lifting – such as automation, monitoring, hardening. In this talk, we will discuss our approach and results. We will cover the subject from a procedural as well as technical point of view, so that replication of the method in your environment is possible. We will draw from our experience of operating for more than a year, discussing the wins and gotchas alike.

My name is Jakub Sekera. In 2020 I completed my Masters Degree in Computer Secuity at Czech Technical University (Faculty of Information Technology). In December 2017, I gained employment with Cisco