It’s time for RSAC, when I wonder how many attendees are aware that R, S, and A are actual people? (And who are all still with us!) It’s akin to sighting Whit Diffie at a Palo Alto coffeehouse or realizing Claude Shannon himself made it into the 21st century when you can still complete a handshake protocol IRL with Taher El-Gamal if you want to ask about mystic Elliptic Curve ‘Murmurations’ Found With AI.
When Whit and Adi are in the house, though, that means the prior weekend’s amazing, astounding, all-volunteer, anarchic assembly also known as B-Sides SF 2024 is a wrap. Blowing past any and all shades of pandemic blues, over 2500 participants gathered for 100 sessions, all right across the street from Moscone Center’s burgeoning booth builders. For swiping their dystopian tagline as our headline, we owe you our own utopian top-lines — right after we share all the news that’s authorized to clip…
StrongDM sweeps cash into their coffers
StrongDM Secures $34 Million Series C Funding to Expand into Europe and Asia, and Establish Zero Trust PAM for Enterprise Security (press release)
Investing a total of $96M into “a next-generation PAM solution that shifts from traditional role- or attribute-based security models to one that emphasizes continuous, fine-grained, and context-aware policy enforcement.”
While SiliconANGLE described it simply as a way to “tailor who gets access, to what and when — ensuring the right people have the right access at the right time,” their CEO more dramatically blogged that PAM Was Dead. StrongDM Just Brought it Back to Life.
Identiverse is imminent
What happens in Vegas is of interest around the world, it seems:
Atul Tulshibagwale’s “10 Must Attend Sessions at Identiverse” | SGNL
David Brossard’s “Identiverse Authorization Talks” | Axiomatics
Stay tuned for our next AuthZ Subscriber Social, hosted by the AuthZEN monks on May 28, 2024 at Brewdog.
fwd:cloudsec is coming around the corner
While the North American installment in June is all but sold out, there’s still chances to shine with submissions to their European edition of fwd:cloudsec on Sep 17, 2024. You have until Jun 28, 2024 to act on the advice in I Reviewed 180 fwd:cloudsec Submissions, These Are My Key Takeaways | Nick Jones [Apr 28, 2024]:
“If you’ve not taken the time and effort to put a solid, descriptive submission together, can we trust that you’ll bring a high quality talk to the conference?”
“If your company focuses on the space you’re presenting on […] make it clear how this submission won’t be a sales pitch for their products”
“If I can go read a blog post covering the submission [...] I’d rather make space for something new.”
Over-due Diligence by Wiz
While Lacework keeps cranking out new features like SmartFix [May 2, 2024] to automatically patch vulnerable code, the Wiz deal to acquire Lacework collapses | Ctech [May 2, 2024]
Sticking to AuthZ, Wiz also offers assistance with AWS S3 Security Best Practices that includes a handy S3 AuthZ cheat sheet [PDF] covering bucket policies, ACLs, access points, VPCs, deletion prevention, object locks, and more.
Even if you are confident your access is correct, beware of some nasty s3urprises: How an empty S3 bucket can make your AWS bill explode | by Maciej Pocwierz [Apr 30, 2024]. Not only did he have to pay extra for other strangers’ failed writes, he also had to pay extra for the audit logs to even discover what he was being billed for!
“Elastic” authorization is my own hot take on going beyond the binary decision to grant or deny permission that also accounts for quotas, billing, and credit limits
Passing on Passkeys?
Does this pair of articles augur that passkeys are half-full, half-empty, or half-baked?
Half of People Use Passkeys as Frustrations with Passwords Continue | FIDO Alliance on May 2, 2024
Passkeys: A Shattered Dream | Firstyear by an author of a leading library, on Apr 26, 2024
New tools
Announcing FusionAuth 1.50 - OAuth Scopes are Here [April 25, 2024]
Using Microsoft Entra External ID and Cerbos for authentication and authorization [April 4, 2024]
New Playlists
Unpacking the Current State of Authentication and Authorization with Dan Moore | The Cloud Gambit [podcast, Apr 23, 2024]
The Evolution of Authorization: How to Achieve Zero Standing Privileges | Cyber Hut [Zoom recording, Apr 30, 2024]
You can also use AI to spell Utopia…
Flipping back to B-Sides, there were several themes at the intersection of AI and AuthZ. From one of last week’s sources, Cole Grolmus, LLMs are going to transform entire product categories in security, such as dope.security’s Neural CASB that automatically classifies risky data.
For example, BalkanID launched a Copilot for Identity Governance on May 1, 2024.
As another, Interpres presented a talk on May 4, 2024 about automatically extracting MITRE ATT&CK vectors from incident reports using LLMs.
And in a talk titled “AiIAM,” ex-Twilio engineers previewed a tool for converting natural language into AWS policies using LLMs called Vapor Lock:
There were other examples of automating IAMOps from Discord, with a talk about their open-source Access self-service portal.
Another case study from Chime on their own in-house temporary access solution for adapting Okta to support RBAC groups.
And an update on last week’s Opal Security profile of CEO Umaimah Khan, “Least Privilege Posture Management” from April 30, 2024, who spoke at a Founders’ panel on the opportunity to go beyond mere compliance reviews to set policies.
Check out a much better Day 1 trip report from Ayman Elsawah’s newsletter, Last Week as a vCISO. For an amusing bonus, Maya Kaczorowski’s “Five security startup pitches,“ all featured LLMs to varying degrees, each with real VC commentary.
… but can a Copilot only spell Dystopia?
However, @MalwareJake snarked, “After doing some testing with a customer, I've created this handy flowchart for determining whether you should adopt Security Copilot...”
For everyone at RSAC, please send in your blurbs and trip reports for next week’s clipping service. For everyone saving their soles and staying put, please also send in your clips… good luck to all our authorization allies this week!