undefined | Better HN

0 pointsacdha6d ago0 comments

> Lets take a concrete example, suppose you have AWS root account credentials. Are you going to assign them to one individual identity or as a company you would keep them accessible to a group of admins.

You’d use AWS Organizations so each admin authenticates using their own credentials, gets short-term credentials to access the member account for the handful of operations needing root, and audit usage. It’s not only more secure, it’s also easier:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-ena...

Old school, you’d have a shared password in an encrypted team vault (possibly requiring x of y users to decrypt it) and two FIDO tokens locked in a safe. Again, this is rare and at a federal agency you have a physical security team with 24x7 staffing so you can say “in an emergency, one of the people on this list can get a key out of a safe in the CIO’s office”.

0 comments

sandeepkd6d ago

great, now apply this to a 4 person startup who are just focussed to get business somehow. This is not on their radar and they would not be willing to spend money to address this either cause its not a problem that they are even aware of.

This is a tip of ice-berg, companies like openai, anthropic, perplexity, stripe, all of them have implemented their authentication and security flows in some interpreted language (python, ruby, typescript) cause that was the readily available talent on their product teams and most likely a good number of them do not even have their dependencies locked in.

acdhaOP5d ago

That’s a pretty different scenario than we’re taking here, but it still doesn’t salvage your previous comment. Those people could still use one of the password managers which support this, which again would be easier than what this guy did.

sandeepkd5d ago

I am not trying to find an excuse when something is clearly wrong, what I am trying to share is how we ended up in a particular situation. The scenario is not much different, the rationale is that security (secure practices) are not the part of the product offering for most products/contracts. I have lost quite a few battles to management for security, it does helps me to understand how people think and priortize. People don't care for what they do not understand.

j / k navigate · click thread line to collapse

0 comments

sandeepkd6d ago

acdhaOP5d ago

sandeepkd5d ago

j / k navigate · click thread line to collapse