Lesson 1.2

1.2: People

8 minutes

People

You’ll hear that people are the weakest link. Set that phrase aside. It’s technically true in the same way that “gravity is the weakest force” is true — so broadly it tells you nothing and so fatalistic it lets you off the hook for the design work. The more useful framing: people are the most addressable layer if you design the controls around them. Everything else — devices, data, systems — you’re configuring software. With people you’re configuring a process, and the process is where most programs leak.

What lives here

  • Employees and contractors. Full-time, part-time, 1099s, interns, the developer’s cousin you gave a GitHub seat to for two weeks in 2023.
  • Access. Who can log into what, with what privileges, from where. This is where identity (who you are) meets authorization (what you can do).
  • Awareness. The training you run and the judgment your people exercise in the five seconds after a weird email lands. Awareness isn’t a poster. It’s whether someone pauses before clicking.
  • Lifecycle. Joiner, mover, leaver. The three transitions where access is granted, reshaped, or revoked. Most access problems originate here.

What typically goes wrong

Stale access. Someone left six months ago and is still in Active Directory, still in your Okta tenant, still in the shared 1Password vault. You find out during an audit, or worse, during an incident. If you run who has access to production? as a real query right now, you will find names you don’t recognize.

Over-privileged service accounts. A Jenkins pipeline runs with domain admin because that’s what somebody set up in 2019 and nobody wanted to touch it. Service accounts are people in a trench coat — they have credentials, they log in, they act — but nobody owns them and nobody reviews them.

Onboarding that gives everyone admin. The laziest defensible default: put new hires in a group that has access to everything the last person needed. Three hires later, your engineering group can approve production deploys, read Finance’s Google Drive, and modify DNS.

Missing offboarding. Offboarding is a two-party system — HR and IT — and both parties assume the other one owns it. There’s no checklist, no shared queue, no single source of truth. The former employee’s GitHub token keeps pulling from your private repos for 18 months until someone runs a billing audit.

Role changes. The sneakiest failure mode. Somebody moves from Sales to Finance. They gain Finance access. They never lose Sales access. After five years of internal moves, you have a handful of people who can do anything.

What mature orgs do differently

Automated joiner-mover-leaver. HR system is the source of truth for employment state. Identity provider pulls from HR. When a status changes, access changes. Manual interventions are the exception, not the rule.

Just-in-time elevation. Nobody has standing admin. When you need to run a privileged command, you request it, the request is logged, it expires. Tools like AWS IAM Identity Center, Teleport, and StrongDM make this tractable.

Periodic access reviews that are real. Not “manager clicks Approve on a list of 400 permissions in thirty seconds.” Access reviews that flag outliers — the person with twice the average group membership, the service account that hasn’t been touched in 18 months — and force a named human to justify each one.

Role-based access with clear ownership. Every role is defined. Every role has an owner. Every permission belongs to a role, not to an individual. When someone changes roles, access resolves to the new role’s permissions — not the union of old and new.

Anchor: Twitter, July 15, 2020

Attackers got into the internal admin panel of Twitter and took over the accounts of Barack Obama, Elon Musk, Joe Biden, Apple, and Uber. They pushed a Bitcoin scam that netted about $118k before Twitter killed it.

The attackers didn’t crack Twitter’s technical controls. They called the help desk. They social-engineered credentials out of Twitter employees, then used those credentials to log into the internal admin tool. The tool existed because it had to exist — you need admin capabilities to run a platform. But the path to the tool was guarded by people, and the people were under-prepared.

The fix isn’t “train harder.” The fix is to design the pathway so that even a fully compromised employee account can’t unilaterally take over Barack Obama’s Twitter. That’s a People-pillar design decision: step-up auth, four-eyes approval on high-impact actions, log every admin-panel entry. People were the addressable layer. Twitter eventually addressed it.