access management
2 articles with this tag
The security baseline for mid-to-large organizations: the standard foundation for teams
At scale the baseline shifts from a 'checklist' to 'programs with owners.' The priority order matches the indie version: 1) identity, 2) secrets and supply chain, 3) app and infra, 4) detect and respond, plus a cross-cutting people-and-governance layer. The big change: the leading cause of breaches moves from slips to people, process, departed-employee access, and third parties.
Don't give root keys to environments that can be compromised: SSH key least privilege
Registering a root key into production from an ephemeral, compromisable environment (GPU pod, CI runner, throwaway VM) means that the moment the environment is compromised, production is taken with root. Fix: no root keys on ephemeral environments; remove keys when unused; if needed again, use a non-root user plus a command-restricted key that limits the key to one operation. A reused key is your most critical asset — never build a 'one leak, everything' setup.