A Spooky Soirée for Subscribers…

A year in, it’s time for our fourth meetup, in Mountain View

Happy Diwaloween! For those who celebrate, it’s a special night to light up the darkening skies of oncoming winter (…at least in the Northern Hemisphere). For the 775 authorization nerds who subscriber, it’s also time to celebrate our own first birthday at the Computer History Museum, tonight at 4PM!

Cover art from Simson Garfinkel’s scary tales of Spooky Data at a Distance — pre-order his Differential Privacy from MIT Press today!

Our agenda includes discussing how to make this community newsletter sustainable for a second year,

1. The Laws of Authorization: Aserto co-founder reprises an IIW talk on “Modern AuthZ”

2. Authorization, from A to Z: Learnings from the first year of this newsletter

3. Secret Agent IAM: If we block all the bots, how are we supposed to authorize the agents?

Treats! — Product & Standard News

Cedar access control for Kubernetes — In a surprise pre-Invent treat, AWS Principal Engineer Micah Hausler announced Cedar-native support for k8s: see Github and LI.

GNAP published at IETF — Uberether celebrated the publication of RFC9635, the Grant Negotiation and Authorization Protocol (GNAP)

AWS phishing protection — Granted now mitigates device auth phishing | Common Fate with a new browser extension that makes authenticating to AWS IAM Identity Center faster and more secure.

Continuous security matters — A Roadmap to Continuous Identity Security | SGNL opens “With most hackers logging in (not breaking in), your access posture is your security posture” so authorization checks have to happen more often that only at login time.

Tricks! — Cloud Security Threats

IAM can be indecipherable — Exploiting a Missing S3 Bucket Allowed Account Takeover | Aqua Security — Amazon later confirmed that approximately 1% of AWS CDK users may be at risk by manually deleting artifacts. Complexity in Cloud AuthZ creating implicit vulnerabilities (again!)

AI needs Authorized Invocation —  Security research on Private Cloud Compute | Apple — A deep dive into the state-of-the-art for a “combination of reproducible builds, remote attestation and transparency logging” … although as another HN commenter notes, “Apple is doing everything right except that the root of trust for everything is Apple itself”

Simulations aren’t sufficient — Developing FediTest: a journey with surprises | Johannes Ernst — A detailed recap of how hard it is to test authorized user data flows across the Internet, as when certifying how to connect Mastodon instances to “Meta’s ActivityPub implementation in Threads … that requires HTTPS requests in both directions!” Meet more of that community at FediForum.org.

Parties! — Recent & Upcoming Events

How to improve the security, scalability and intelligence of your access control | IndyKite, will be a webinar on November 6, 2024 at 7AM (Pacific) about deploying state-of-the AuthZ “on top of your existing IAM implementations (including ForgeRock, Ping Identity, Okta, Auth0, Microsoft Entra, AWS, Sailpoint and similar solutions).”

Designing complex authorization systems with Cedar | AWS will be an off-the-record in-person chalk talk at re:Invent in Las Vegas on December 3, 2024. Come discuss an “authorization policy language used by Permit.io, StrongDM, CyberArk, Gluu and others.”

Wiz explains turning down Google | TechCrunch Disrupt 2024 was where co-founder described “the toughest decision ever” to pass on an offer at double their valuation.  

Identibeer SF and IIW39

For only $23B less, dozens of Bay Area pioneers inaugurated a new branch of the international identity inebriation initiative at Identibeer SF for free. A participant at an IAM Demo Day | EDUCAUSE from Cirrus Identity recalled their VP of Engineering Mary McKee recently recorded An Obsession with Authorization from the Past, Present, and Future | IDPRO.

Inhumanity! — A Haunted Cyber60

Finally, some news from the astral plane beyond human identification — the NHI wave is growing into a tsunami that’s flooding the early-stage honorees of Fortune Magazine (archived) & Lightspeed Ventures’ 2025 Cyber60 list of the “most important venture-backed startups” (methodology) included Andromeda, Clutch, Linx, Oasis, p0, and probably Straiker (still in stealth, although hints on LI suggest NHI, too).

Other findings from their CISO research report with Wakefield Research:

1. Security spending continues to accelerate ahead of IT generally, at an 11.7% CAGR through 2028, according to Gartner

2. Consolidation remains a top priority, named by half of CISOs surveyed

3. Attacks keep getting more complicated… “AI-powered solutions have become a key part of every CISOs toolkit, but also represent new vectors of attack.”

Indeed, it’s such a crazy pace of change that AKA Identity cofounder William Lin recently noted how “incumbent, next-gen & next-next-gen all exist at the same time” now.

Horrors! — Scary Movies

A bonus for our movie buffs: Fortune’s Cyber60 coverage anchored on Labyrinth, from George Lucas and Jim Henson & starring David Bowie as The Goblin King… with his barely-SFW sock puppet :)