With any transformative technical discipline like the cloud, there will be a wide range of maturity levels across industries and companies. Spending the past 5 years advocating for Zero Trust, I’ve become mindful of the journey, aiming to plot a maturity curve that is both reasonable and feasible. A line I used to say often was that, “if BeyondCorp is the peak of Mt. Everest, let’s first get you to Base Camp.”
Cloud IAM is a tricky discipline to plot as such. Historically, only the largest companies have a dedicated IAM program, and when they do, it’s primarily focused on core human identity use cases. This has been a big part of my world since joining Okta 3 years ago.
With infrastructure, IAM is both an authentication service and a configuration service. The auth elements of IAM might fall under the purview of a traditional IAM program if one such exists, but what about the config elements? It’s rarely the same people responsible, and it’s a different use case than human auth, so it often falls in different hands.
This is where wires can easily get crossed. From a pure auth perspective, one could easily think that hooking up your corporate Identity Provider to AWS SSO is the peak of Mt. Everest – strong authentication, fine-grained authorization, pretty nice. But is that the peak? It’s not when you factor in the config – IAM isn’t just the service that lets people login and do things, it’s the service that touches everything – all of the people, data, resources, services, and workloads.
Something I’ve been giving a lot of thought to, and have been learning a lot from conversations with people, is plotting a maturity curve for IAM configs – one that is both reasonable and feasible. What is the peak of Mt. Everest, and what is Base Camp? It would be too simple to just declare “least privilege” as the peak and call it a day. I prefer to say “right sized” – and that could be different for every company, person, workload, etc.
As I continue to do my research, I would love to hear your perspective on this topic – feel free to reply with your thoughts or hit me up on social.