Night Mode LabsBlue Book
Operations

Identity and Access

Identity and access should make the safe path easy. Separate human access, workload access, emergency access, and audit evidence.

Access model

Human access

  • Use SSO as the default entry point.
  • Map access through groups, roles, and teams instead of individuals.
  • Require MFA for administrative and production access.
  • Prefer just-in-time elevation for sensitive actions.
  • Review privileged access on a defined cadence.

Workload identity

Prefer workload identity over static credentials.

  • Use OIDC federation for CI/CD pipelines.
  • Use cloud-native managed identity for runtime workloads.
  • Scope permissions to the workload and environment.
  • Rotate or eliminate long-lived credentials.
  • Avoid shared service accounts across unrelated services.

Break-glass access

Break-glass should be rare, tested, and auditable.

A good break-glass process includes:

  • Named owners and approval expectations.
  • Strong authentication and limited permissions.
  • Automatic logging and notification.
  • Expiry or automatic revocation.
  • Post-use review and remediation.

Evidence

Keep evidence easy to produce. Access reviews, role definitions, privileged actions, and emergency use should be exportable without manually reconstructing events from chat history.

Networking and Connectivity

Previous Page

Incident Management

Next Page

On this page

Access modelHuman accessWorkload identityBreak-glass accessEvidence