Reducing “Mixtape to Master Key” Scenarios: How to block the Dark Army from mayhem using API-driven access control

Presented at BSidesSF 2017, Feb. 12, 2017, 11:45 a.m. (30 minutes)

After tenure of a year or two at many companies, a senior engineer's access level is often maxed out. He or she probably has full root permissions across the entire infrastructure. We call these privileges ‘master keys' and, just like a building's master key, they are very dangerous if they fall into the wrong hands. Instead, privileged access should granted only on a temporary basis. Sometimes this means requesting increased access from a manager, or a peer. But sometimes the increased access can be imputed from another input. For example, sudo permissions can be automatically granted and revoked in accordance with an on-call schedule. Or a Jira ticket must be open and approved before a user can log into a sensitive database for scheduled maintenance.  This talk will cover how to quickly and easily build API-driven access control into your environment and eliminate your "master keys".

Presenters:

• Aren Sandersen - Founder - Foxpass
  Aren Sandersen has had engineering, operations, and security roles at various startups for the last 15 years. He founded Foxpass in 2015 to bring enterprise security practices to companies of all sizes.

Links:

• https://bsidessf2017.sched.com/event/9IKm/reducing-mixtape-to-master-key-scenarios-how-to-block-the-dark-army-from-mayhem-using-api-driven-access-control

Similar Presentations:

• BSidesSF 2016 / Access Control in 2016 - deep dive
• DeepSec 2017 „Science First!“ / Normal Permissions In Android: An Audiovisual Deception
• DEF CON 23 (2015) / Are We Really Safe? - Bypassing Access Control Systems