diff --git a/_posts/2023-04-11-temporary-privileges.md b/_posts/2023-04-11-temporary-privileges.md index 35f9973e..0e1f994d 100644 --- a/_posts/2023-04-11-temporary-privileges.md +++ b/_posts/2023-04-11-temporary-privileges.md @@ -12,8 +12,6 @@ author: image: jplachance.jpg --- -I spend most of my days inside a code editor, Jira, Outlook, or in meetings. Now that one of our projects won the [Identity Management Project of the Year – SMB](https://www.idsalliance.org/press-release/identity-defined-security-alliance-announces-winners-of-identity-management-awards/) award, it's a great opportunity to take a look back at what the Coveo R&D Defense team built. - The Coveo infrastructure is constantly growing. DevOps engineers add new regions and services, which leads to more systems that can break, more complex access management, and more complex audit logging. If I tell stakeholders that the entire R&D department needs always-on access to all the services they deploy and own in a production environment, some of those stakeholders will tell me that the risks are too high and that it is not acceptable. On the other hand, if only a handful of people can help when there is an incident in production, the on-call access management person will have to be woken up every time an engineer needs access to a specific resource. This makes access management unhappy, and increases the time to resolution, potentially even causing a breach of our service level agreement. Leadership won't like that. This is why Coveo needed a good middle ground. The R&D department needed a system that allowed selected employees to gain privileged access on systems they own for a short period of time, fix the incident, and follow up with a post-mortem. Back in 2020, Coveo adopted [strongDM](https://www.strongdm.com/) to manage privileged access rights. While it already supported granting temporary privileges, it lacked a way to allow employees to quickly request a temporary privilege, without waking up the strongDM administrator at 3 AM. From the strongDM APIs, the R&D Defense team built that system.