View profile

IAM Pulse Check #8 - Whodini

IAM Pulse Check
IAM Pulse Check #8 - Whodini
By Ivan Dwyer • Issue #8 • View online
Hey folks,
If you ask 100 people what the ultimate Halloween song is, I bet 99 would say Thriller. I’m that one hip hop nerd who’d say Freaks Come Out At Night.
As I do every year at this time, I combed through my boxes of hip hop records that don’t get much play anymore to grab that classic Whodini LP. What’s different about this year is the mental association. IAM is a lot like Whodunnit or Whocandoit. That’s right – the puns don’t stop like the party don’t stop!
As mentioned during last week’s newsletter, a lot of what makes IAM complex is the surrounding nuance and the multiple dimensions. Every individual request is deterministic, so once you have all the inputs and understand the evaluation logic, the results are always predictable.
Where it’s easy to get tripped up is in the framing once you zoom out from a request to an environment. As-in, given a resource, who can access and under what conditions? Or given a role, what can it do and who can assume it? This becomes less deterministic and more of an exercise in painstaking enumeration.
Digging into the dimensions behind the Who and the What has been insightful for our team, but where the real fun comes into play is when you get to the Why. That’s when you start to get to the heart of least privilege. Because without the Why, it wouldn’t matter that much what the right size is.
There can be different perspectives to the Why, which is a key reason that IAM is as much of a people challenge as it is a technical challenge. The Why for a developer could be, “my Lambda function needs to write to that S3 bucket, connect to that RDS instance, and pull from that SQS queue.” The Why for Security could be, “that data is tagged for PCI compliance, you can’t grant access for that service account.”
Navigating these conflicting perspectives can be hard, but the more understanding of the Why helps bring alignment where it’s needed.

Before we get to the goods, we couldn’t help ourselves with some fun Halloween trickery. I mean, who doesn’t love a good R.L. Stine reference?!
IAM Pulse
IAM feelin' spooky 👻

Caption contest for some sweet swag! Trick-or-Treat 🎃
IAM checking these out...
IAM reading from the community...
The IT Manager's Declaration for IAM | IAM Pulse
The 2 limits of Google Cloud IAM | IAM Pulse
IAM listening to this...
From the depths of my personal collection
From the depths of my personal collection
Did you enjoy this issue?
Ivan Dwyer

Quick bite commentary and curation to help wrangle the complexities of cloud operations & security. Also puns and tunes.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Okta Inc. 100 1st St. San Francisco, CA 94105.