![]() ![]() It is tempting to keep some privileged roles outside of SSO to have more control but this amounts to creating backdoors for access. The most important tenet we agreed upon is to keep our corporate IDP as the source of truth for authentication and authorization. ![]() Identify and harden a single source of truth We share some of the key learnings from deploying and migrating our entire AWS workload to the new solution. As a security best practice, we are integrating all our internal tools (SAAS or developed in-house) with SSO. To address our production access needs, we implemented AWS SSO backed by our corporate identity (Azure AD) and an in-house serverless application called Elevator for temporary privilege escalation. We have now invested in building Shuttle - our continuous delivery platform and Logman - our centralized logging platform gradually reducing the need for engineers to access production compute instances for deployment and debugging. For an exponential growth startup like Swiggy, the problem had been more acute as multiple individuals inherited this wide access as we scaled our engineering team rapidly. One of the common problems with any startup is that early engineers have broad production access and over time the same is carried forward to new engineers, sometimes in the original unrestricted form and sometimes reduced but still wide enough to cause catastrophic changes in production. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |