View profile

IAM Pulse Check #2 - Spread Love

IAM Pulse Check
IAM Pulse Check #2 - Spread Love
By Ivan Dwyer • Issue #2 • View online
Hey folks,
It was quite the week in InfoSec land between the disclosures from Azure and TravisCI, with far reaching impact across cloud environments. Throw in the Apple 0day, and you have yourself the Security Olympics.
But unlike NBCs botched Olympic coverage, there was an event this week that was executed to pure perfection. And it wasn’t put on by a mega conglomerate, but rather a small group of dedicated volunteers.
I’m talking about the fwd:cloudsec conference that took place in Salt Lake City on Monday and Tuesday. I had originally planned to be there in person with our team to introduce our new project, IAM Pulse, however we decided to stay back and keep our support remote. Thankfully, the event was hybrid, with all talks streamed virtually.
What an incredible and action packed 2 days of highly technical, focused talks. No fluff here, just pure depth and expertise. Our team hit the livestream with some commentary, so for this week’s newsletter, I’ll share a few highlights. You’ll be able to replay all of the talks shortly, so give a follow to @fwdcloudsec to stay up-to-date.
Cheers,
Ivan

IAM checking these out...
Rich Mogull of Securosis and DisruptOps kicked things off with an incredible keynote. I’ve always admired Rich for his technical depth, but also his humility and understanding of the challenges people face. As he often does, he landed a quote that would make an incredible tagline: “Every cloud failure is an IAM failure. Every IAM failure is a governance failure”. Truth.
IAM Pulse
These are great examples of improving an IAM policy workflow! Thank you @JaredNaude https://t.co/zSDglBzj59
The constant struggle between security and productivity comes up with IAM all too often – too permissive and you open yourself up to risk, too restrictive and you end up with cross-functional, back and forth arguments. Getting to that sweet spot really is the holy grail, so I always love seeing teams put in the effort where it matters. This is a great before/after picture from Jared Naude from Synthesis.
IAM Pulse
@fwdcloudsec Really helpful to hear Saurabh highlighting issues of maintaining policies/security controls and compliance across cloud providers. Cloud comics for the win. IAM impressed. https://t.co/dAgpfd5Lwo
I really enjoyed this talk from Saurabh Wadhwa of Uptycs, which covered a number of open source tools for observing resources and environments. I’m especially interested in cloudquery, which brings a nice SQL interface to your infrastructure. There’s been some healthy debate in this area this week – some like the familiarity, others are cautious of the abstraction model. Wherever you land on the spectrum, I think we can agree – observability is a good thing!
IAM Pulse
@fwdcloudsec Dynamic inventory for dynamic cloud environments ✅ https://t.co/WTYlNPIymU
It’s slides like this that get me to jump out of my chair and proclaim, “yes!” Everything is different in the cloud – elastic resources constantly spinning up and down mean you can’t simply apply legacy inventory-driven approaches to security, especially when they involve long request/approval workflows. Dynamic environments need dynamic controls to match. Great stuff in this session from Yoav Nathaniel of Goldman Sachs.
IAM Pulse
Ian deserves 10,000 Github stars on this repo right now 🌟💫✨ https://t.co/YFM9IDb2Cq
You’d be hard pressed to find a heavier drop than Ian McKay’s session. Already well known amongst the community for his work and open source projects such as iamlive, Ian introduced iam-dataset, an open source project that maps all AWS managed policies and permissions. The repo is used to power permissions.cloud, a very clean interface that unifies and simplifies the growing number of managed policies. So tasty!
IAM Pulse
The @figmadesign security team is one to admire. We've enjoyed reading the recent Zero Trust implementations, and love seeing @okta as a key identity component here.

(Some of us were on the @ScaleFT team – we'd call that kind of private web access an Access Fabric 😉) https://t.co/znBwqRvFXn
This session from Max B of Figma was one I was keen to watch, as I had read a recent article of his about building a home grown private web access system that closely resembled Google’s BeyondCorp initiative. In a prior startup life, I was very close to that, and always appreciate seeing real world implementations. Bonus points for Okta in the mix. Nice work!
IAM Pulse
Our team had multiple perspectives on this winning slide. https://t.co/HsQToyjpaQ
The work that Kinnaird McQuade of Salesforce has done is quite incredible, but even more admirable is how willing and open he is to sharing. If you haven’t seen his open source projects, Cloudsplaining and Policy Sentry, I highly recommend checking them out. This session was great because he dug deep into Azure, an area that I’m admittedly still getting up to speed with. Keep it up Kinnaird!
IAM Pulse
@fwdcloudsec Good life rule: “Misconfigured resources should never become real resources” https://t.co/S16tVuiTCS
The work of Square’s security team over the years has always been top notch, as has their willingness to share. Back when in-person meetups were a common thing (which feels like a lifetime ago), I used to frequent the SqR00t talks at their SF HQ. This talk by Adam Cotenoff covered their workflows for automating security scans across Terraform. That quote truly is a good life rule!
The IAM Pulse virtual booth
The IAM Pulse virtual booth
While I’m sad I couldn’t have been there in person, we did manage to make the most of our virtual presence. It would have been rather fun to watch the reactions to our booth banner, though. Any takers?
IAM listening to this...
I’m not exaggerating – there really was something special about how this event came together, the quality of the content, and the engagement from the community. As our IAM Pulse team embarks on our own journey, being good community stewards really matters to us. So with that, I want to share an album close to my heart to spread the love.
From the depths of my personal collection
From the depths of my personal collection
Did you enjoy this issue?
Ivan Dwyer

Quick bite commentary and curation to help wrangle the complexities of cloud operations & security. Also puns and tunes.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Okta Inc. 100 1st St. San Francisco, CA 94105.