IAM Pulse Check #9 - Journey In Satchidananda
Plotting a feasible maturity curve for IAMRead Issue on Revue
With any transformative technical discipline like the cloud, there will be a wide range of maturity levels across industries and companies. Spending the past 5 years advocating for Zero Trust, I’ve become mindful of the journey, aiming to plot a maturity curve that is both reasonable and feasible. A line I used to say often was that, “if BeyondCorp is the peak of Mt. Everest, let’s first get you to Base Camp.”
Cloud IAM is a tricky discipline to plot as such. Historically, only the largest companies have a dedicated IAM program, and when they do, it’s primarily focused on core human identity use cases. This has been a big part of my world since joining Okta 3 years ago.
With infrastructure, IAM is both an authentication service and a configuration service. The auth elements of IAM might fall under the purview of a traditional IAM program if one such exists, but what about the config elements? It’s rarely the same people responsible, and it’s a different use case than human auth, so it often falls in different hands.
This is where wires can easily get crossed. From a pure auth perspective, one could easily think that hooking up your corporate Identity Provider to AWS SSO is the peak of Mt. Everest – strong authentication, fine-grained authorization, pretty nice. But is that the peak? It’s not when you factor in the config – IAM isn’t just the service that lets people login and do things, it’s the service that touches everything – all of the people, data, resources, services, and workloads.
Something I’ve been giving a lot of thought to, and have been learning a lot from conversations with people, is plotting a maturity curve for IAM configs – one that is both reasonable and feasible. What is the peak of Mt. Everest, and what is Base Camp? It would be too simple to just declare “least privilege” as the peak and call it a day. I prefer to say “right sized” – and that could be different for every company, person, workload, etc.
As I continue to do my research, I would love to hear your perspective on this topic – feel free to reply with your thoughts or hit me up on social.
IAM checking these out...
There’s been great research on various privilege escalation methods on AWS from the teams at RhinoSecurity and Bishop Fox. Here, Nick Frichette, maintainer of Hacking the Cloud, brings it all together in a nice, reference-able manner.
Quickly becoming a top reference site for anyone trying to wrap their head around all the actions that one can perform within AWS IAM policies, Ian McKay’s permissions.cloud got a fresh update this week, adding a custom policy evaluator and resource & credential exposure tags. Keep up the good work!
New to Google Cloud, but certainly not new to the cloud community is Forrest Brazeal, who quickly jumped into his new role to share his technical findings in the fun and helpful way that he’s been known for. This article provides an excellent overview of how GCP handles IAM, and how it differs from that of AWS.
IAM listening to this...
Alice Coltrane Featuring Pharoah Sanders – Journey In Satchidananda (1971, Gatefold, Vinyl) - Discogs
Another Impulse Records release to highlight, this time from the great Alice Coltrane. The spiritual and groovy harp player had a few outstanding releases on Impulse from 1968 - 1972, after her husband John passed away. There was no question about her abilities as a solo artist, and she firmly established herself as a leader. While John was known for his aggressive sounds, Alice was more fluid, with lush strings and cosmic orchestras. This album is tops for me, and features the great Pharoah Sanders on sax. The title track alone is worth the price of admission and then some – the bass lines groove like no other, and only continues to progress as the strings and horns come in. A true spiritual jazz masterpiece, and one that represents a journey in more than name.
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.