Temporary Access to the Cloud: A Case Study
Tomas Rabczak
BSidesSF 2024 · Day 1
This talk, presented by Tomas Rabczak, a Staff Software Engineer at Chime, delves into the critical security challenge of managing employee access to cloud resources and the development of an internal solution called "Access Service." The presentation outlines a comprehensive case study on how Chime transitioned from a culture of permanent access to a model of temporary, just-in-time access, significantly reducing its attack surface. Rabczak highlights the pervasive issue of the "human element" in data breaches, citing statistics and real-world incidents to underscore the necessity of such a system.
AI review
This talk presents a detailed case study of Chime's "Access Service," a custom-built solution for managing temporary cloud access. It effectively highlights the critical problem of persistent, unused access as a major attack vector, demonstrating a data-driven approach to quantify and mitigate this risk. The speaker provides a clear architectural overview, delves into the technical challenges of integrating with OCTA and SCIM, and shares valuable insights from the development and rollout, including strategies for cultural change and addressing API limitations.