MDB Weekly is a multi-format, weekly summary of information from the past week in Modern Digital Business. It's available as an article, an email newsletter, and as a LinkedIn newsletter. It will be published weekly on Mondays.
First Up: Learning From Incidents with Nora Jones
I had the distinct privilege of talking to Nora Jones, the Founder and CEO of Jeli.io, about end-to-end incident management. I first learned about Jeli.io when I interviewed Beth Long, the Engineering Manager at Jeli.io nearly two years ago. I was impressed with their product then, and it was great catching up with Nora to see how things have progressed with this startup over the last two years.
Needless to say, I was not disappointed. We recorded our conversation, and made it available on Software Engineering Daily. Have a listen!
Listen to the episode on Software Engineering Daily
Last week’s top story: Just-in-Time Permissions in Microservices-Based Applications
What can you do to keep your application free of vulnerabilities from bad actors? While there are many things, it’s essential to understand who in your organization needs access to your application’s production operating environment.
Usually, we think that anyone who manages the application in production needs access to production systems. But the Principle of Least Privilege suggests that you should not give access to production systems to most people involved in managing your systems. Arguably, nobody requires direct access to everything in a production environment. The Principle of Separation of Responsibility goes one step further and says that no single person should be able to access all of production.
But eventually, your application will have problems. Servers will need to be restarted, processes on those servers need to be terminated, containers have to be launched, files must be trimmed, and runaway services need to be stopped.
How do you perform privileged production activities when those working on the issue do not have privileged access?
This is where permission escalation comes into play.
Permission escalation, sometimes known as Just-in-Time permissions, gives an engineer extra permissions above their normal access rights to perform emergency operations in special circumstances, such as while an incident is ongoing.
On the surface, this seems contrary to the original goal, that of keeping the application secure by limiting permissions to only those that absolutely need it. However, the goal of permission escalation is to allow an engineer to engage in a well-defined process that allows them to get additional permissions, but only within the specific confines of an incident response process.
There are several models for doing this, each with a different set of advantages and disadvantages.
Read the full article in Container Journal
Links for the week:
- Just-in-Time Permissions in Microservices-Based Applications
- Learning From Incidents with Nora Jones
- Learning from Your Incident Response to Improve Availability
- Learning from Incidents with Beth Long (2021) p1
- Learning from Incidents with Beth Long (2021) p2
- Atchison Academy
- Book: Architecting for Scale
I hope you enjoyed this edition of Modern Digital Business weekly. If you enjoyed this, check out other formats available, including email. All versions are released weekly on Mondays.