[#52] Finishing Out Our Freshman Year!
One year in, one week at a time…
Fifty-two weeks ago,
launched the first issue of this newsletter to catalyze a community around Authorization, by spotlighting emerging new technologies for managing access, permissions, and policies using new languages like Cedar, Rego, Alfa, and others.A free weekly “Clipping Service” of industry headlines was conceived as the first step towards organizing an in-person conference, sponsored by both startups and public companies. To that end, we’ve also hosted almost-quarterly meetups for subscribers at existing events that also attract AuthZ aficionados, including IIW, Identiverse, and IETF (…and that’s just the I’s!)
The eagle-eyed might notice the debut was November 4, 2023 — but there wasn’t any issue at all last Monday, on November 4, 2024. (Volunteers, sheesh… amirite?) Yes, there was the small matter of Election Day in America, but in case you didn’t (or couldn’t) vote last week, though, there’s still have two days to weigh in on the AuthZEN Authorization Activity for OpenID Foundation members.
Yesterday was also Veteran’s Day in the United States, but instead of a day off, it became a double-issue — stay tuned for a survey on making a second year more sustainable! First, though, from the fortnight past, here are all the links authorized to click!
Recent Events
Relationship-Based Access Control (ReBAC) Best Practices | Permit.io was recorded on November 6, 2024 with Pauline Jamin, an engineering leader at Agicap, a French fintech.
Cedar to the rescue for access control | Cup o’Go was recorded on November 1, 2024 with Justin McCarthy, CTO and Co-founder of StrongDM, who also covered it at AWS re:Inforce 2024 and will again at AWS re:Invent 2024, on December 4, 2024 in Las Vegas.
Amazon’s Cedar Open Source Strategy | Gluu was also the talk of today’s Identerati Office Hours with AWS’ Julian Lovelock (PM) and Ricardo Sueiras (DevRel); see IOH Wiki.
Putting the four components of modern identity to work | SGNL reported on Ian Glazer’s talk at Authenticate on October 14, 2024 in Carlsbad, CA, based on his Enterprise Patterns for Modern IAM blog posts for Weave Identity that ensure IAM services are:
Fully contextually aware;
Humanless and real-time reactive;
Augmenting functionality, not replacing it;
Standards assumptive;
Adaptable and open to change.
Innovative IAM Strategies | SC Media was held on Nov 7, 2024 by Carlota Sage (Founder, Pocket CISO) with Dustin Sachs (CTO, CyberRisk Collaborative) with “war stories” as chilling yet mundane as “keeping terminated employee accounts dormant, you know, for continuity and recovery purposes…” Black hat hacker “Justin Case” strikes again!
Upcoming Events
War Stories On The Path To Least Privilege | SC Media on November 13, 2024 will discuss “Some of the biggest breaches this year—Snowflake, Dell, UnitedHealth” with Umaimah Khan (CEO, Opal Security), Gary Belvin (GDB Security), and Adrian Sanabria (The Defenders Initiative).
Zero Trust Summit | CSA runs from November 20-21, 2024 and will feature CISOs of the University of Texas, the Defense Department, and the United Nations. The complete agenda also includes Dynamic Defense: Context-Based Access Control and Zero Trust by Shruti Kulkarni, a Research Fellow at CSA.
re:Invent 2024: A comprehensive guide to security sessions | AWS spotlights some AuthZ:
A least privilege journey made easier by IAM Access Analyzer | SEC325
API Authorization with Amazon Cognito and Verified Permissions | SEC202
Persona-based access to data for generative AI applications | SEC310
Add in a few more AuthZ-adjacent talks we’re also excited about:
Designing complex authorization systems with Cedar | Jeff Lombardo, AWS | OPN-404
Customer insights on application authorization | Julian Lovelock, AWS | SEC-346
Securing 50 million requests per month with AWS-based authorization | Daniel Aniszkiewicz, Algoteque | DEV318
Why the future of enterprise AI requires agentic reasoning | Bhavin Shah, Moveworks | AIM337-S
(Curiously, no sessions on Using Amazon Detective for IAM investigations | AWS, with a tip o’ the hat to CloudSecList).
Tutorials & Case Studies
Building Permission-Aware Enterprise Chatbots | Aserto describes how to integrate Topaz with a vector database (Pinecone) so a chatbot isn’t so chatty it leaks secrets — by ensuring Retrieval-Augmented Generation (RAG) is also Retrieval-Authorized (video).
Access control for Retrieval Augmented Generation (RAG) and LLMs | Cerbos CPO Alex Olivier has a similar topic on November 20, 2024. They’re also blogging about Why Granular, Scalable Control Is a Must for Every CTO and just published an e-book on the Top 10 Challenges from Monolith to Microservices based on lessons learned at Uber, Spotify, and Netflix.
End-to-End Example | Permify walks developers through a Github-like challenge with a ReBAC approach to granting admins and users different levels access to an org’s repos.
Death and the Digital Estate | OpenID from Eve Maler’s video introducing DADE.
Quick (Screen)Shots
See you soon with a second part of this double issue, which is all about AI — Authorization Intelligence!