Welcome to the “Authorize” clipping service, provided by volunteer authorization nerds who want more people to know about all the cool stuff that’s going on in the authorization world. Thank you to our link contributors! If you’re an authorization nerd and an IDPro member, join our discussions in the IDPro Slack #authorization channel! Want to help write this newsletter? Find Rohit Khare on LinkedIn and ask for an invite.
Happy International Identity Day! The ID Day campaign works “to underscore the fundamental importance of having verifiable proof of identity”. Decisions made on the basis of such information can affect people’s lives, so let’s get out there and do it right.
⏱️ Coming up soon
September 18: NHI FTW? If you’re in NYC midweek, you can attend The 1st
Non-Human Identity Security Conference. Looks like the Non-Human Identity Management Group out of London will be in attendance.
September 18 and beyond: StrongDM’s Policypalooza is still going. Next up: “Context Is Key: Leveraging Device Trust Signals for Smarter Access Policies”.
September 26: Join David and Mark of Axiomatics for ABAC to School: The Basics of ABAC Policy Modeling, a LinkedIn Live session covering the basics of policy-driven authorization and best practices for policy authoring.
⏮️ On replay
Multi-layer authz: Where should you enforce your authorization policy? On episode 46 of Identerati Office Hours from September 10, Omri Gazitt of Aserto and Nicholas Hunt of HATsec say, “Everywhere you can!”
🧠 Things to know
Cloud security roundup: Check out the inaugural issue of a newsletter dedicated to cloud security, from the hosts of the long-running and ever-helpful Cloud Security podcast. It kicks off with key fundamentals and practices from eight leading cloud security practitioners.
S3 again: “A single missing access policy can often introduce security risks, data leaks, or other unintended consequences.” Hacking misconfigured AWS S3 buckets is your tour guide through the problem(s) and the fix(es).
EssentiaL eLeMents of security: CSA’s latest publication, Securing LLM Backed Systems: Essential Authorization Practices, gives you new best practices for an AI world and its many components.
AWS again: This pair of resources, AWS vs Azure: A “Secure by default” comparison and AWS IAM: A Comprehensive Guide Toward Least Privilege, puts you the knowledge. Note especially the IAM Access Analyzer info in the latter link.
Securing LinkedIn: More of a general security read, this accounting of LinkedIn’s Security Posture Platform (SPP) draws together vulnerability management and newfangled AI. Graphs are all over this thing, and no surprise.
People of ACM: Ramón Cáceres is interviewed here, recounting his seven years of experience on the Zanzibar team.
Threat juxtapositions: Trail of Bits published a security assessment comparing Cedar, Rego, and OpenFGA, on behalf of AWS.