Demystifying Access Control in the Modern Data Warehouse

Monday, September 11, 2023 - 10:10 am10:25 am

Viraj Thakur, Cruise


Access control in the modern data warehouse is dizzyingly complex. Nested groups, inherited roles, and legacy permission models are just a few of the challenges we encountered at Cruise during our efforts to demystify cloud Identity and Access Management (IAM) in BigQuery. Access to read data is provisioned across many different roles and groups, in cloud service consoles and IaaS tools, with no universal source of truth. We built an internal tool, xray, to answer two questions:

  1. Who has read access to a given BigQuery resource?
  2. How are they getting this access (from what role and group)?

We have leveraged this tool to remediate overprovisioned access and enforce our need-based access policies for sensitive data. This talk will present the need for a software solution to audit cloud IAM, discuss the technical specifications of our solution, and provide examples of how we use xray to mitigate privacy risk at Cruise.

Viraj Thakur, Cruise

Viraj Thakur is a senior software engineer on the Privacy Infrastructure team at Cruise. Viraj builds tools and services to enable privacy and data protection as Cruise scales. His past projects include Cruise's in-house data map, access control management and enforcement, and Cruise's DSAR workflow.

@conference {290869,
author = {Viraj Thakur},
title = {Demystifying Access Control in the Modern Data Warehouse},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = sep

Presentation Video