Just-in-time (JIT) access, also known as just-in-time privileged access management (JIT PAM), is a security approach that grants privileged access or permissions only for the finite moments needed. It eliminates always-on, persistent privileged access, known as "standing privileges." On the other hand,  Just Enough Access aka JEA model is essential for implementing the principle of least privilege. But "true least privilege" requires combining both models, so that organizations can minimize potential attackers' footholds and the paths to privilege that could escalate an attack. However, many enterprises struggle with having too many accounts with unnecessary privileges, standing access status quo, privilege blindness, and lack of context around privileged risk. By combining these approaches, organizations can significantly reduce the attack surface and minimize potential vulnerabilities. Some of the malpractices include deploying too many accounts with unnecessary privileges, permissions, and entitlements, a standing access status quo, privileged blindness, and lack of context around privileged risk.

In Amazon Web Services (AWS), limiting human access to cloud resources is crucial for security. AWS offers tools like AWS Identity and Access Management (IAM) and AWS IAM Identity Center for managing access. Granting just-in-time access to developers for a limited time based on approval is an effective way to limit active time frames for assignments to AWS resources. Okta's integration with IAM Identity Center allows customers to access AWS using their Okta identities. As an example, the roles could correspond to different job functions within your organization. For example, the “AWS EC2 Admin” role could correspond to a DevOps on-call site reliability engineer (SRE) lead, whereas the “AWS EC2 Read Only” role may apply to members of your development team. The step-by-step configuration for this involves setting up groups representing different privilege levels, enabling automatic provisioning of groups using SCIM protocol, assigning access for groups in Okta, creating permissions sets in IAM identity center, assign group access in your AWS organization, configuring Okta identity governance access requests and finally testing the configuration. Okta's integration with AWS minimizes persistent access assignments, granting access just in time for specific operational functions. This solution allows empty user groups to be assigned to highly-privileged AWS permissions, with Okta Access Requests controlling group membership duration.

In Azure, Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations. The templates are organized into secure foundation, zero trust, remote work, protect administrator, and emerging threats. Certain accounts must be excluded from these templates such as emergency-access or break-glass accounts to prevent tenant-wide account lockout and some service accounts and service principals that are non-interactive and tied to any particular user.

 Principle of Just-in-Time (JIT) privileged access:

This is a security model used in Azure public cloud to grant temporary permissions to users for performing privileged tasks. This approach helps minimize the risk of unauthorized access by ensuring that elevated permissions are only available when needed and for a limited time. Users receive elevated permissions only for the duration necessary to complete specific tasks. Once the time expires, the permissions are revoked automatically. A dedicated service in Azure services portfolio by the name Azure AD Privileged Identity Management (PIM)  manages JIT access, allowing administrators to control and monitor privileged access to Azure resources and Azure AD. PIM can generate alerts for suspicious or unsafe activities, enhancing security monitoring. This is commonly used for administrative tasks, accessing sensitive data, or managing critical infrastructure.

Amazon Web Services aka AWS also supports something similar with its Privileged Access Management aka PAM solutions where third-party solutions can be integrated into the AWS to provide ephemeral JIT access, ensuring that users only have the necessary privileges for the duration of their tasks. AWS provides  regular fine-grained permissions for users, groups and roles with its Identity and Access Management policies which can even be used to restrict access to a certain time of the day. The single sign-on service can work with different identity providers to enforce JIT access. Finally, the AWS Security Token Service can issue temporary security credentials that provide limited time access to AWS resources.

To bolster the physical security, reducing the risk of malware or unauthorized access, streamlining and restricting activities that can be performed with the escalation of privilege, Microsoft hands out Secure Admin Workstations (SAWs) that are specialized and dedicated devices used exclusively for administrative tasks. They are particularly valuable in high-risk environments where security is paramount. Public clouds happen to be the most widely used cloud but there are other clouds that can be dedicated in scope specifically for governments, defense departments and those that require tighter access control and these are collectively called sovereign clouds. These clouds are especially benefited with SAW devices. Only authorized personnel can use SAWs, and they are often subject to strict security policies and monitoring. As an example, Microsoft uses approximately 35,000 SAW devices, with a small number dedicated to accessing these high-risk environments aka sovereign clouds.

These practices help ensure that Azure remains a secure platform for both administrators and users. 

 Manifesting Dependencies:

Among the frequently encountered disconcerting challenges faced by engineers who deploy infrastructure is the way to understand, capture and use dependencies. Imagine a clone army where all entities look alike and a specific one or two need to be replaced. Without having a name or identifier at hand, it is difficult to locate those entities but it becomes even harder when we don’t know which of the others are actually using them, so that we are mindful of the consequences of replacements. Grounding this example with cloud resources in azure public cloud, we can take a set of resources with a private endpoint each that gives them a unique private IP address, and we want to replace the virtual network that is integrated with these resources. When we switch the virtual network, the old and the new do not interact with one another and traffic that was flowing to a resource on the old network is now disrupted when that resource moves to a different virtual network. Unless we have all the dependencies known about who is using the resource that is about to move, we cannot resolve the failures they might encounter. What adds to the challenge is that the virtual network is like a carpet on which the resources stand and this resource type is always local to an availability zone or region so there is no built-in redundancy or replica available to ease the migration. One cannot just move the resource as if it were moving from one resource group to another, it must be untethered and tied to another virtual network with a delete of the old private endpoint and the addition of a new. Taking the example a little further, IaC does not capture dependencies between usages of resources. It only captures dependencies on creation or modification. For example, a workspace that users access to spin up compute and run their notebooks. might be using a container registry over the virtual network but its dependency does not get manifested because the registry does not maintain a list of addresses or networks to allow. The only way to reverse-engineer the listing of dependencies is to check the dns zone records associated with the private endpoint and the entries added to the callers that resolve the container registry over the virtual network. These entries will have private IP addresses associated with the callers and by virtue of the address belong to an address space designated to a sub-network, it is possible to tell whether it came from a connection device associated with a compute belonging to the workspace. By painful enumeration of each of these links, it is possible to draw a list of all workspaces using the container registry. These records that helped us draw the list may have a lot of stale entries as the callers disappear but do not clean up the record. So, some pruning might be involved and it might change over time but it will still be handy.

 

Problem: Given a weighted bidirectional graph with N nodes and M edges and all the weights as distinct positive numbers, find the maximum number of edges that can be visited on traversing the graph such that the weights are ascending.

Solution: When a weighted edge is encountered in an ascending order between nodes, say u and v, it must be the first edge of the path starting at either u or v and no other nodes. In addition, that path starts at one vertex, goes through edge uv and then the remaining longest ascending path up to the other vertex. Therefore, the weights accumulated at both these nodes is the maximum of (w[u], w[v] + 1) and (w[v], w[u]+1) in an array w of weights of longest ascending paths starting at that vertex.

 

public static int solution_unique_weights(int N, int[] src, int[] dest, int[] weight) {

            int M = weight.length;

            int[] e = new int[N];

            Integer[] index = new Integer[M];

            for (int i = 0; i <M; i++) { index[i] = i; }

            Comparator<Integer> comparator = (i, j) -> weight[j] - weight[i];

            Arrays.sort(index, 0, M, comparator);

            for (int I = 0; i< M; i++) {

                          int u = src[index[i]];

                          int v = dest[index[i]];

                           int count = Math.max(Math.max(e[u], e[v] + 1), Math.max(e[v], e[u]+1));

                           e[u] = count;

                           e[v] = count;

             }

             return Arrays.stream(e).max().getAsInt();

    }

 

    src[0] = 0    dest[0] = 1    weight[0] = 4

    src[1] = 1    dest[1] = 2    weight[1] = 3

    src[2] = 1    dest[2] = 3    weight[2] = 2

    src[3] = 2    dest[3] = 3    weight[3] = 5

    src[4] = 3    dest[4] = 4    weight[4] = 6

    src[5] = 4    dest[5] = 5    weight[5] = 7

    src[6] = 5    dest[6] = 0    weight[6] = 9

    src[7] = 3    dest[7] = 2    weight[7] = 8

    index:  0 1 2 3 4 5 6 7  // before sort

    index:  2 1 0 3 4 5 7 6  // after sort

    e: 

    0  1  0  1  0  0  0  0

    0  2  2  1  0  0  0  0

    3  3  2  1  0  0  0  0

    3  3  3  4  4  0  0  0

    3  3  3  4  5  5  0  0

    3  3  4  4  5  5  0  0

    6  3  4  4  5  6  0  0

    

With the longest ascending path being nodes 3->1->2->3->4->5->0 and 6 edges

 

 Infrastructure as a top-down approach versus bottom-up growth.

Centralized planning has many benefits for infrastructure as evidenced by parallels in construction industry and public transportation. The top-down approach in this context typically refers to a method where policy decisions and strategies are formulated at a higher, often governmental or organizational level, and then implemented down through various levels of the system. This approach contrasts with a bottom-up approach, where policies and strategies are developed based on input and feedback from lower levels, such as local communities or individual stakeholders.

Such a regulatory approach might involve:

Centralized Planning: High-level authorities set infrastructure policies and plans, which are then executed by regional or local agencies.

Regulation and Standards: Establishing uniform regulations and standards for cloud systems, which must be adhered to by all stakeholders.

Funding Allocation: Decisions on the allocation of funds for infrastructure projects are made at a higher level, often based on broader economic and policy goals.

This approach can ensure consistency and alignment with national or regional objectives, but it may also face challenges such as lack of local adaptability and slower response to specific local needs.

On the other hand, a bottom-up approach typically involves building and configuring resources starting from the lower levels of the infrastructure stack, often driven by the needs and inputs of individual teams or developers. This approach contrasts with a top-down approach, where decisions and designs are made at a higher organizational level and then implemented downwards.

Here are some key aspects of the bottom-up approach in Azure deployments:

Developer-Driven: Individual developers or teams have the autonomy to create and manage their own resources, such as virtual machines, databases, and networking components, based on their specific project requirements.

Incremental Development: Infrastructure is built incrementally, starting with basic components and gradually adding more complex services and configurations as needed. This allows for flexibility and adaptability.

Agility and Innovation: Teams can experiment with new services and technologies without waiting for centralized approval, fostering innovation and rapid iteration.

Infrastructure as Code (IaC): Tools like Terraform and Azure Resource Manager (ARM) templates are often used to define and manage infrastructure programmatically. This allows for version control, repeatability, and collaboration.

Feedback Loops: Continuous feedback from the deployment and operation of resources helps teams to quickly identify and address issues, optimizing the infrastructure over time.

This approach can be particularly effective in dynamic environments where requirements change frequently, and rapid deployment and scaling are essential

The right approach depends on a blend of what suits the workloads demanded by the business in the most expedient manner with iterative improvements and what can be curated as patterns and best practices towards a system architecture that will best serve the organization in the long run across changes in business requirements and directions.

 This is a summary of the book titled “Cash is King” written by Peter W. Kingma and published by Wiley in 2024. As an entrepreneur, founders usually chase revenue, and cash is secondary concern but firms with strong cash positions can seize new opportunities and remain flexible. Using a fictional Owens Inc. the author draws this point through a comprehensive treatise on the topic of cash management. The procurement process from order placement to payment affects a company’s cash position. Business functions such as marketing and warehousing can also help optimize the cash position. Logistics, which is usually dynamic in nature, can help with inventory management and reduce cash freezes. The cash position for a firm can benefit from working capital management. Performance measurement metrics can aid managers. Improved cash management can boost a business’ resilience and guide it through bad times.

A business should prioritize cash flow over revenue generation to sustain growth. For example, Owens Inc., a manufacturer of electrical equipment, found that its sales terms were too favorable, and its internal processes were complicated, affecting invoicing and collections. The company's growth was driven by risk-taking and sales growth, but it neglected inventory management and internal processes. To manage sales and client management, companies should segment customers, implement credit review policies, track invoice payments, set collector targets, and adopt electronic payment methods. The procurement process, from order placement to payment, also impacts on a company's cash position. The procurement team must manage routine processes and deal with emergencies daily. The procurement team faces pressure and may not notice trade-offs that affect a company's cash position, such as lead times, minimum order quantities, and delivery times.

Business functions like marketing and warehousing can optimize cash position by synchronizing their interests and goals. Procurement personnel should focus on negotiating the best prices, while logistics management should be dynamic and adaptable to changing customer needs, transportation costs, and innovation. Marketing and engineering functions should monitor inventory to identify lost demand and ensure legitimate demand for new products. Logistics and warehousing should aim for higher service levels, requiring more inventory.

Logistics can affect a firm's cash flow through variations in batch size, use of technology, standardized terms of trade, customer-negotiated service terms, optimal warehouse management, and linking customer status updates to billing functions. These factors can disrupt existing dynamics and impact inventory management. The COVID-19 pandemic and global supply chains have also impacted inventory management.

Plant management procedures can optimize inventory investment for optimal returns. Investing in inventory that sells quickly and at a high margin yields more favorable returns than unused inventory. Safety stock is the level of inventory required to meet customer service standards, calculated based on historical variations. Minimal stock on hand for made-to-order products and minimal stock in transit can help reduce transportation time and minimum order requirements. Working capital management can improve a firm's cash position. A good financial controller can help businesses tackle accounting and financial reporting, following best practices like absorption costing and weighted average cost of capital (WACC). A company's stock price is affected by debt, and controllers should be cautious of using short-term debt costs without considering equity costs. Strong performance in one area can mask poor performance in another.

Managers should effectively use performance measurement metrics to gauge business performance and make informed decisions. Common metrics include inventory turns and cost per unit. However, they often do not align with operational metrics, leading to data integration issues or lack of review. Leadership metrics should serve as warning lights, guiding the company's health before it is too late. Operating metrics should capture the input management needs to measure, and key performance indicators and bonuses should be aligned with cash performance.

Improved cash management can boost a business's resilience and guide it through bad times. Recognizing the importance of cash flow is crucial, but many businesses consider it an afterthought. Companies with above-average working capital management tend to bounce back faster from setbacks and preserve shareholder capital better. Cash management is equally important for service sector firms, but the considerations are different.

To bring about sustainable changes, a cash leadership office should be formed, focusing on both cash position and growth. This ensures that the entire management team is on the same page and can advise the business on trade-offs or compromises.

 Given clock hands positions for different points of time as pairs A[I][0] and A[I][1] where the order of the hands does not matter but their angle enclosed, count the number of pairs of points of time where the angles are the same

    public static int[] getClockHandsDelta(int[][] A) {

        int[] angles = new int[A.length];

        for (int i = 0; i < A.length; i++){

            angles[i] = Math.max(A[i][0], A[i][1]) - Math.min(A[i][0],A[i][1]);

        }

        return angles;

    }

    public static int NChooseK(int n, int k)

    {

        if (k < 0 || k > n || n == 0) return 0;

        if ( k == 0 || k == n) return 1;

        return Factorial(n) / (Factorial(n-k) * Factorial(k));

    }

 

    public static int Factorial(int n) {

        if (n <= 1) return 1;

        return n * Factorial(n-1);

    }

    public static int countPairsWithIdenticalAnglesDelta(int[] angles){

        Arrays.sort(angles);

        int count = 1;

        int result = 0;

        for (int i = 1; i < angles.length; i++) {

            if (angles[i] == angles[i-1]) {

                count += 1;

            } else {

                if (count > 0) {

                    result += NChooseK(count, 2);

                }

                count = 1;

            }

        }

        if (count > 0) {

            result += NChooseK(count, 2);

            count = 0;

        }

        return result;

    }

        int [][] A = new int[5][2];

         A[0][0] = 1;    A[0][1] = 2;

         A[1][0] = 2;    A[1][1] = 4;

         A[2][0] = 4;    A[2][1] = 3;

         A[3][0] = 2;    A[3][1] = 3;

         A[4][0] = 1;    A[4][1] = 3;

 1 2 1 1 2 

1 1 1 2 2 

4