Weekly notes

• AWS KMS: How many keys do I need?: A few things to consider:
  • Data classification: if there is private data like health care, or identity vs public data there is probably a case for 2 keys
  • Roles: who is responsible for key management - rotation, deactivation, etc
  • Teams: security team, development, operations may have different reasons to access keys
    • Another split here could be around business units within a company (different applications)
  • Reasons for access and least privilege: consider workflows around keys and map those to roles, teams
  • Manageability: Every key adds operational overhead. Too few is a problem but so is too many
  • Note: Applications need to be able to work with multiple keys for rotation
• Gotta Go Slow: “I tell everyone I work with to make sure their health is not the implicit buffer used to amortize their organization’s shortfalls. You can’t personally absorb all the shocks of a flawed system that may or may not actively be forcing you in that position.”
• On work processes and outcomes: Work you’re officially supposed to do (this isn’t always what happens in real life - people find unique and unexpected ways to get to goals) vs work as actually performed. Good and bad outcomes will always follow actions.
• Reservoir Sampling: Algorithm for fair sampling in a stream of data.
• Just fucking use HTML: Funny. Html will probably work 30 years from now. Will react and vue webapps?