View profile

IAM Pulse Check #9 - Journey In Satchidananda

IAM Pulse Check
IAM Pulse Check #9 - Journey In Satchidananda
By Ivan Dwyer • Issue #9 • View online
Hey folks,
With any transformative technical discipline like the cloud, there will be a wide range of maturity levels across industries and companies. Spending the past 5 years advocating for Zero Trust, I’ve become mindful of the journey, aiming to plot a maturity curve that is both reasonable and feasible. A line I used to say often was that, “if BeyondCorp is the peak of Mt. Everest, let’s first get you to Base Camp.
Cloud IAM is a tricky discipline to plot as such. Historically, only the largest companies have a dedicated IAM program, and when they do, it’s primarily focused on core human identity use cases. This has been a big part of my world since joining Okta 3 years ago.
With infrastructure, IAM is both an authentication service and a configuration service. The auth elements of IAM might fall under the purview of a traditional IAM program if one such exists, but what about the config elements? It’s rarely the same people responsible, and it’s a different use case than human auth, so it often falls in different hands.
This is where wires can easily get crossed. From a pure auth perspective, one could easily think that hooking up your corporate Identity Provider to AWS SSO is the peak of Mt. Everest – strong authentication, fine-grained authorization, pretty nice. But is that the peak? It’s not when you factor in the config – IAM isn’t just the service that lets people login and do things, it’s the service that touches everything – all of the people, data, resources, services, and workloads.
Something I’ve been giving a lot of thought to, and have been learning a lot from conversations with people, is plotting a maturity curve for IAM configs – one that is both reasonable and feasible. What is the peak of Mt. Everest, and what is Base Camp? It would be too simple to just declare “least privilege” as the peak and call it a day. I prefer to say “right sized” – and that could be different for every company, person, workload, etc.
As I continue to do my research, I would love to hear your perspective on this topic – feel free to reply with your thoughts or hit me up on social.
Cheers,
Ivan

PS - on the surface, this Tweet might sound counter to our mission to uplevel the IAM discipline, but in many ways I agree – you can have working auth and config without IAM users (for the most part, at least). I’m here for this future!
Aidan W Steele
I think there's no need for AWS IAM users today. So I made a PoC to "prove" it. First here are the general use-cases for creds

* AWS SSO works great for humans 👍

* Roles work fine inside AWS 👍

* Federation works fine from other clouds 👍

* Raspberry Pi in your closet ❓
1/4
IAM checking these out...
IAM listening to this...
From the depths of my personal collection
From the depths of my personal collection
Did you enjoy this issue?
Ivan Dwyer

Quick bite commentary and curation to help wrangle the complexities of cloud operations & security. Also puns and tunes.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Okta Inc. 100 1st St. San Francisco, CA 94105.