undefined | Better HN

0 pointswarrenm2y ago0 comments

Pretty sure he means audit compliance, proper RBAC, etc

0 comments

Hmm audit compliance? Google gives you a log of who logged in where, doesn't it? And with "proper RBAC" you mean that you can put somebody into the "Developer" role, hence he gets AWS, GCP, Datadog, right?

warrenmOP2y ago

I don't know how extensive Google's logging is - heck, didn't even know they offered Enterprise SSO until a few days ago (every organization I know uses either Okta or M365/AD) :)

Proper RBAC is as granular as necessary, but no more

Proper RBAC also links everything needed by a certain role together

Merely knowing who logged-in where and when, though, is not enough - you also need to know what they did while there (and that they did not do anything they were not supposed to be able to do (which links back to proper RBAC'ing))

CIS, HIPAA, FISMA, SOX, STIG and all the other alphabet soup compliance rules, frameworks, etc are a lot more extensive than just "who logged in where" :)

--------

See NIST's page on RBAC for some of this: https://csrc.nist.gov/Projects/Role-Based-Access-Control

j / k navigate · click thread line to collapse